Cross-Origin Resource Sharing Misconfiguration

【CORS Error】Misconfigurations and their impacts

Oct 31, 2022

11 min read

Sudip Sengupta

In this article:

Cross-Origin Resource Sharing (CORS) is a browser-based mechanism that indicates permissible origins for a browser to load resources outside its web server’s domain. Besides enabling enhanced flexibility than the Same-Origin Policy (SOP), CORS also ensures security by controlling how the resources are requested and loaded from an external domain.

Several factors, however, may cause a CORS implementation to be susceptible to cyber-attacks. One such cause is the poor configuration of the CORS policy that is commonly exploited for cross-domain attacks, where threat actors send malicious requests to the web server’s domain as the first step towards deeper, system-level attacks.

This article teaches CORS misconfiguration vulnerabilities, their impacts, and prevention strategies and addresses commonly asked questions.

What is CORS Misconfiguration?

A cross-origin resource-sharing misconfiguration occurs when the web server allows third-party domains to perform privileged tasks through the browsers of legitimate users. As the CORS mechanism relies on HTTP headers, a browser makes preflight requests to the cross-domain resource and checks whether the browser will be authorized to serve the actual request. Therefore, improper configuration of CORS headers allows malicious domains to access and exploit the web server’s API endpoints. While multiple headers define the CORS policy, the following three are considered significant for administering security:

Access-Control-Allow-Origin (ACAO) – Specifies

Read more

Explore the site

More from the blog

Latest News