Two API endpoints — one public, one authenticated. Inspect the CORS response headers on each. One endpoint leaks sensitive data to any origin via a wildcard policy. Find the misconfigurations.
CORS (Cross-Origin Resource Sharing) controls which external domains can read responses from your API. A misconfigured policy — such as Access-Control-Allow-Origin: * on an authenticated endpoint — allows any website to make requests and read your API's response on behalf of a logged-in user. Origin reflection (echoing the caller's Origin header back) and accepting null origins are two common bypass vectors.
| True Positive | Public endpoint returns ACAO: * — correct, no auth involved |
| Bug Found | Authenticated endpoint returns ACAO: * — exposes sensitive data to any origin |
| Bug Found | Preflight returns both ACAO: * and ACAC: true — invalid combination per spec |
| Bug Found | Credentialed fetch to private endpoint accepted — server should reject credentials: include with wildcard |
| Bug Found | Server reflects any arbitrary Origin header back in ACAO without allowlist validation |
| Bug Found | Server accepts null origin with credentials — sandboxed iframe bypass |
Fetch the public card listing. Inspect the CORS headers returned. A wildcard policy is correct here — no authentication is involved and the data is public.
GET /qa-sandbox/cors/api/public/Fetch the private endpoint and inspect its CORS headers. The endpoint returns sensitive account data. Check whether the ACAO header restricts cross-origin access appropriately.
GET /qa-sandbox/cors/api/private/Send an OPTIONS preflight to the private endpoint. Browsers send this automatically before credentialed cross-origin requests. Inspect what the server advertises it will accept.
OPTIONS /qa-sandbox/cors/api/private/Fetch the private endpoint with credentials: 'include'. A correctly secured endpoint would require a specific origin in ACAO — not * — to allow cookies to be sent and read cross-origin.
This endpoint builds its CORS response by reflecting the caller's Origin header directly into Access-Control-Allow-Origin without validation. Trigger the check to inspect the reflected header in the response.
Some servers allowlist the literal string null as a trusted origin. Browsers send Origin: null from sandboxed iframes, file:// URLs, and data: URIs — which attackers can craft. Trigger the check to see the server's response.
Fetch Public API — inspect ACAO header. Wildcard is acceptable on a public, unauthenticated endpoint (true positive).Fetch Private API — inspect ACAO header. The authenticated endpoint returns * — a cross-origin attacker could read the API key and session token (bug found).Send OPTIONS Preflight — inspect ACAO and Access-Control-Allow-Credentials together. The combination * + credentials: true is forbidden by the spec — browsers reject it, but the server should never send it (bug found).Fetch with credentials: include — a credentialed fetch to an endpoint returning ACAO: *. Browsers block the read in a real cross-origin scenario, but the server's misconfiguration intent is visible in the headers (bug found).Test Origin Reflection — the server echoes your Origin back verbatim instead of checking an allowlist. Any attacker domain would be granted access (bug found).Test Null Origin — the server accepts null as a trusted origin with credentials. An attacker uses a sandboxed iframe to send this and read the authenticated response (bug found).