⌘K
ENES
GitHub
playbookSecurity Playbooks~1 min readUpdated Apr 23, 2026

Test CORS Behavior

Goal

Determine whether CORS policy is too permissive, reflected unsafely, or misunderstood as an authorization control.

Assumptions

  • one or more API/browser endpoints rely on cross-origin access
  • the browser enforces CORS, not the server in a general auth sense
  • credentials and origin handling may be misconfigured

Prerequisites

  • endpoints returning CORS headers
  • ability to send custom Origin headers
  • understanding of whether cookies or credentials are involved

Recon steps

  1. Identify cross-origin endpoints.
  2. Record Access-Control-* headers on normal responses and preflights.
  3. Observe whether origins are static, wildcard, or reflected.

Exploit / test steps

  1. Send requests with attacker-controlled Origin values.
  2. Check whether credentials are allowed alongside reflected origins.
  3. Compare preflight and non-preflight behavior.
  4. Test subdomain and scheme variations of trusted origins.
  5. Confirm whether the team is relying on CORS where server-side auth should exist.

Validation clues

  • reflected attacker origin
  • Access-Control-Allow-Credentials: true with unsafe origin behavior
  • broad trust of attacker-influenceable subdomains
  • confusion between readable responses and writable state changes

Mitigation

  • explicitly enumerate trusted origins
  • never treat CORS as authorization
  • review credentialed cross-origin flows carefully
  • keep server-side access control independent of browser policy

Logging / detection

  • unexpected origins hitting sensitive routes
  • drift in allowed origin patterns
  • preflight anomalies on auth-sensitive endpoints

References

  • Testing / Lab: PortSwigger CORS topic — https://portswigger.net/web-security/cors
  • Foundational: MDN CORS guide — https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS

Explore nearby notes

Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect BloodHound Collection_Playbook structure (Goal / Assumptions / Prerequisites / Detection steps / Validation clues / Mitigation / Logging / Operational safety), matching the trio... Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions.