🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

CORS Reflected Origin

Cross Origin Resource Sharing (CORS) is a way to punch hole in the security brought by a browser. If it is not done carefully, it may result into security vulnerabilities. CORS is an HTTP-header that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Reflecting the value from Origin request header in the Access-Control-Allow-Origin response header eliminates the protection as an adversary can cross-domain request from any origin.

Remediation

  • Do no reflect the Origin header
  • Specify a whitelist of domains from which requests are allowed.

Metadata

  • Severity: informational
  • Slug: cors-reflected-origin

CWEs

  • 346: Origin Validation Error

OWASP

  • A01:2021: Broken Access Control

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.