Test CORS Behavior Goal Determine whether CORS policy is too permissive, reflected unsafely, or misunderstood as an authorization control. Assumptions one or more API/browser endpoints rely on cross-origin access the browser enforces CORS, not the server in a general auth sense credentials and origin handling may be misconfigured Prerequisites endpoints returning CORS headers ability to send custom Origin headers understanding of whether cookies or credentials are involved Recon steps Identify cross-origin endpoints. Record Access-Control-* headers on normal responses and preflights. Observe whether origins are static, wildcard, or reflected. Exploit / test steps Send requests with attacker-controlled Origin values. Check whether credentials are allowed alongside reflected origins. Compare preflight and non-preflight behavior. Test subdomain and scheme variations of trusted origins. Confirm whether the team is relying on CORS where server-side auth should exist. Validation clues reflected attacker origin Access-Control-Allow-Credentials: true with unsafe origin behavior broad trust of attacker-influenceable subdomains confusion between readable responses and writable state changes Mitigation explicitly enumerate trusted origins never treat CORS as authorization review credentialed cross-origin flows carefully keep server-side access control independent of browser policy Logging / detection unexpected origins hitting sensitive routes drift in allowed origin patterns preflight anomalies on auth-sensitive endpoints Related notes cors-misconfiguration http-headers csrf cookies-and-sessions References Testing / Lab: PortSwigger CORS topic — https://portswigger.net/web-security/cors Foundational: MDN CORS guide — https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS ← PreviousTest Client IP SpoofingNext →Test Path Traversal Explore nearby notes Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior.