CORS Misconfigurations: The Vulnerability Hiding in Plain Sight

Cross-Origin Resource Sharing (CORS) is one of the most commonly misconfigured security mechanisms on the web. When set up incorrectly, it can allow any website to make authenticated requests to your API and read the responses — effectively bypassing the same-origin policy entirely.

What CORS does

Browsers enforce the same-origin policy: JavaScript on evil.com can't read responses from api.yoursite.com. CORS relaxes this restriction for specific origins you trust. The problem is that many developers relax it too much.

The dangerous patterns

The most common misconfiguration is reflecting the Origin header back in Access-Control-Allow-Origin. This happens when developers dynamically set the allowed origin to whatever the request sends, effectively trusting every site on the internet.

# What the attacker sends:
Origin: https://evil.com

# What your server responds:
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true

# This means evil.com can read your users' data

Other dangerous patterns include allowing the null origin (exploitable via sandboxed iframes), trusting all subdomains (one compromised subdomain exposes everything), and using regex that can be bypassed with domains like evil-yoursite.com.

How to fix it

Maintain an explicit allowlist of trusted origins. Never reflect the Origin header blindly. Never allow null. If you need a wildcard for a truly public API, make sure you're not also setting Access-Control-Allow-Credentials: true — browsers actually block this combination, but it signals a misunderstanding that often leads to other issues.

Test your site

KrakenProbe's CORS scanner automatically tests for origin reflection, null origin, subdomain trust, and prefix-match bypass. Run a free scan to see if your site is vulnerable.