BIPI
BIPI

CORS Misconfiguration Exploitation and Same-Site Bypasses

Cybersecurity

From reflected origins to null-origin tricks and SameSite Lax bypasses, the CORS bugs that still leak data and tokens in 2024.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 22, 2024 · 9 min read

#cors#pentesting#web-security#samesite

CORS is a deny-by-default model that developers regularly re-enable by accident. A reflected Origin header with credentials is still one of the fastest paths from a marketing subdomain bug to API token theft.

Dangerous CORS Patterns

  • Access-Control-Allow-Origin reflects the request Origin without an allowlist
  • Access-Control-Allow-Credentials true paired with permissive origin
  • Allowlist regex that matches attacker.target.com.evil.com
  • Null origin allowed: served from sandboxed iframes and data URIs
  • Wildcard subdomain trust where any subdomain can be claimed via takeover

Testing CORS Quickly

Send an Origin header pointing to attacker.example and check the response. If Access-Control-Allow-Origin echoes your value and credentials are allowed, you have a bug. Burp Suite CORS checker plugin and ffuf with custom headers automate the sweep across endpoints.

Exploitation Patterns

  1. Host a page at attacker.com that fetches the API with credentials include
  2. Exfiltrate response body via fetch then text then send-to-attacker
  3. Chain with subdomain takeover where wildcard trust exists
  4. Pivot to CSRF token theft when CSRF tokens are returned in API responses
  5. Use null origin via sandboxed iframe when null is allowed

SameSite Cookie Bypasses

SameSite Lax is the default in Chromium. It blocks cross-site POSTs but allows top-level GET navigations. Anything performing a state change on GET is exploitable. SameSite None requires Secure but still permits CSRF if the developer assumed Lax was the default.

  • GET-based state changes (logout, follow user, add to cart) bypass Lax
  • Method override headers turn POST into GET on the network
  • Lax allows top-level navigations for 2 minutes after cookie set on Chromium
  • Subdomains share cookies, so XSS on docs subdomain hits cookies for api subdomain
SameSite is a defense in depth, not a CSRF replacement. Pair it with CSRF tokens or origin checks for state changes.

Preflight Bypass

Simple requests (GET, HEAD, POST with text/plain or form-urlencoded) skip the preflight. If the endpoint accepts JSON via text/plain content type, you avoid the OPTIONS check entirely and CORS becomes effectively wide open for that path.

Remediation

  1. Strict allowlist of origins, never reflect Origin blindly
  2. Avoid Access-Control-Allow-Credentials true unless absolutely required
  3. Validate Content-Type server-side; reject text/plain on JSON endpoints
  4. Anchor regex matches with start and end markers, escape dots
  5. Decommission unused subdomains to prevent takeovers
CVE-2023-25194
CORS-adjacent class to keep in mind
2 minutes
Chromium Lax cookie grace window
1 header
Origin reflection: one config away from full leak

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.