← vuln-lab catalog

CORS Misconfiguration

/api/cors-open reflects the request's Origin back in Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials: true. That combination lets any website read this response with the victim's cookies.

(no response yet)

Trigger: host an attacker page that runs the same credentials:'include' fetch cross-origin and reads the JSON.

Detected by: browser_cdp_cors_test