CORS Misconfiguration Enabling Cross-Origin Data Theft

During assessment for one of our web clients, we discovered that the server reflected any Origin

header value in its CORS response, combined with

Access-Control-Allow-Credentials: true. This configuration allowed any

external website to make authenticated requests on behalf of logged-in users.

An attacker hosting a malicious page could silently fetch sensitive data from

the application using the victim's session cookies.

Escalation to Mass Data Harvesting

Although the misconfiguration itself doesn't expose data, combining it with

accessible endpoints created a scalable attack:

1. The attacker creates a malicious website (phishing page, compromised ad

network, or watering hole attack).

2. Victim visits while logged into the target application — Their browser

holds valid session cookies.

3. Attacker's JavaScript executes cross-origin fetch with credentials:

'include', and the server responds with full data because it trusts the

reflected origin.

4. Data exfiltrated to attacker's server — Configuration files, user data,

internal metadata—anything the victim's session can access.

5. Attack scales infinitely — Every visitor to the malicious site becomes an

unwitting data harvester. Thousands of victims, one malicious page.

In other words, a CORS misconfiguration transformed the victim's browser into

an attacker-controlled proxy, bypassing all server-side authentication.

The Flow

Malicious Site → Reflected CORS → Authenticated Request → Data Exfiltration

Why This Is Key in Modern Web Apps

- CORS is the browser's last line of defense — When misconfigured, same-origin

policy protections vanish entirely.

- Reflected origin + credentials = full access — The server treats

attacker-controlled requests as legitimate authenticated calls.

- Attacks are invisible — Victims see nothing; their browser silently fetches

and forwards data.

- Scales with traffic — Malvertising, compromised sites, or phishing campaigns

can harvest data from thousands of users simultaneously.

That's why Security Misconfiguration (OWASP A05:2021) explicitly calls out

CORS as a critical control.

Recommended Fix (technical detail)

Implement strict origin whitelist

- Never reflect arbitrary origins. Validate against explicit allowlist:

const allowedOrigins = [

'https://app.example.com',

'https://www.example.com',

'https://admin.example.com'

];

app.use((req, res, next) => {

const origin = req.headers.origin;

if (allowedOrigins.includes(origin)) {

res.setHeader('Access-Control-Allow-Origin', origin);

res.setHeader('Access-Control-Allow-Credentials', 'true');

}

// No header = browser blocks the request

next();

});

Avoid wildcard with credentials

- Access-Control-Allow-Origin: * cannot be used with credentials: true

(browsers block this), but reflected origins bypass this protection.

- If credentials aren't needed, use * without Allow-Credentials.

Validate on every response

- CORS headers must be set consistently across all endpoints, including error

responses and static files.

- Middleware should intercept before any response is sent.

Monitor for CORS abuse

- Log Origin headers on sensitive endpoints

- Alert on unusual origins or high-volume cross-origin requests

- Consider CORS-specific WAF rules

Test thoroughly

# Should NOT reflect evil origin

curl -I -H "Origin: https://evil-attacker.com" \

"https://app.example.com/api/user/profile"

# Expected: No Access-Control-Allow-Origin header

# OR: Access-Control-Allow-Origin with whitelisted domain only

# Verify legitimate origins still work

curl -I -H "Origin: https://app.example.com" \

"https://app.example.com/api/user/profile"

# Expected: Access-Control-Allow-Origin: https://app.example.com

Combined Impact

When both vulnerabilities exist together (as discovered in this assessment),

the impact compounds:

Vulnerability Alone: Info Disclosure: Attacker must access directly

Combined Impact: CORS enables any website to fetch exposed data

────────────────────────────────────────

Vulnerability Alone: CORS: Limited to what endpoints return

Combined Impact: Info Disclosure provides schema for deeper attacks

────────────────────────────────────────

Vulnerability Alone: Either: Single-vector risk

Combined Impact: Together: Scalable reconnaissance + cross-origin theft

Lesson: Security findings rarely exist in isolation. Always assess how

vulnerabilities chain together.

Both findings discovered during authorized security assessment. Individual

severity: Medium-High. Combined severity: Critical. These represent common

patterns where "minor" misconfigurations compound into business-critical

risks