# CORS Misconfiguration

### CORS Misconfiguration

#### Description

CORS (Cross-Origin Resource Sharing) misconfiguration occurs when a web application improperly configures its CORS policy, allowing unauthorized domains to access its resources, leading to potential data leaks or unauthorized actions.

#### Example with Scenario

**Scenario:** A web application has a misconfigured CORS policy that allows any origin to access its API. An attacker can exploit this to steal sensitive data by making requests from a malicious site.

#### Payloads and Test Cases

**Payloads**

1. **Wildcard Origin:**

   ```http
   Origin: http://evil.com
   ```
2. **Insecure Allow-Origin Header:**

   ```http
   Access-Control-Allow-Origin: *
   ```
3. **Allowed Methods:**

   ```http
   Access-Control-Allow-Methods: GET, POST, PUT, DELETE
   ```

**Test Cases**

1. **Wildcard Origin:**
   * **Payload:**

     ```http
     Origin: http://evil.com
     ```
   * **Test Case:**

     ```javascript
     // Send a request with a malicious origin
     sendCORSRequest("http://evil.com", "/sensitive-data")
     // Verify if the server responds with sensitive data
     checkForSensitiveDataInResponse()
     ```
2. **Insecure Allow-Origin Header:**
   * **Payload:**

     ```http
     Access-Control-Allow-Origin: *
     ```
   * **Test Case:**

     ```javascript
     // Send a request from any origin
     sendCORSRequest("http://any-origin.com", "/sensitive-data")
     // Verify if the server responds with sensitive data
     checkForSensitiveDataInResponse()
     ```
3. **Allowed Methods:**
   * **Payload:**

     ```http
     Access-Control-Allow-Methods: GET, POST, PUT, DELETE
     ```
   * **Test Case:**

     ```javascript
     // Send a request using an allowed method
     sendCORSRequest("http://allowed-origin.com", "/sensitive-data", "POST")
     // Verify if the server processes the request
     checkForSensitiveDataInResponse()
     ```

#### Mitigation

1. **Restrict Allowed Origins:**
   * Specify a strict allow-list of trusted origins.
   * Avoid using wildcard (\*) in the Access-Control-Allow-Origin header.
2. **Limit Allowed Methods:**
   * Restrict the allowed HTTP methods to only those necessary.
   * Avoid allowing all methods (e.g., GET, POST, PUT, DELETE).
3. **Validate Preflight Requests:**
   * Validate and properly handle preflight OPTIONS requests.
   * Ensure the Access-Control-Allow-Origin and other headers are correctly set.
4. **Use Credentials Securely:**
   * Avoid using `Access-Control-Allow-Credentials: true` unless necessary.
   * Ensure the allowed origins are secure when using credentials.
5. **Content Security Policy (CSP):**
   * Implement a strict Content Security Policy to mitigate the impact of CORS misconfigurations.
   * Use CSP to control the sources of content and reduce the risk of data leaks.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/web-app-pentesting/cors-misconfiguration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.