Research on CORS Misconfiguration

What is CORS?

A request for a resource (like an image or a font, etc ) outside of the origin is known as a cross origin request.

  1. User loads the page from “”
  2. While loading the initial page from “” a request is made to “”. This request is known as cross origin request. Hence browser will first perform pre-flight request.
  3. If the pre-flight request is successful “” sends the:

What is the CORS Misconfiguration?

An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.

Types of CORS Attacks

1. Server-generated ACAO header from client-specified Origin header

  1. Cross-origin redirects.
  2. Requests from serialized data.
  3. Request using the file: protocol.
  4. Sandboxed cross-origin requests.
  1. Proper configuration of cross-origin requests
  2. Only allow trusted sites
  3. Avoid whitelisting null
  4. Avoid wildcards in internal networks


Profile Links:




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prajit Sindhkar

Prajit Sindhkar


I am a India Based Security Researcher, Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUGXS Community