Back to Details

cors-cross-origin-misconfiguration

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: CORS Misconfiguration — Credentialed Origins, Reflection, and Trust Boundary Errors

SKILL: CORS 配置错误 — 带凭证源、源反射与信任边界错误

AI LOAD INSTRUCTION: Use this skill when browsers can access authenticated APIs cross-origin. Focus on reflected origins, credentialed requests, wildcard trust, parser mistakes, and origin allowlist bypasses. For JSONP hijacking deep dives, same-origin policy internals, honeypot de-anonymization, and CORS vs JSONP comparison, load the companion SCENARIOS.md.
AI 加载说明:当浏览器可跨源访问已认证 API 时使用本 skill。重点关注反射源、带凭证请求、通配符信任、解析器错误以及源白名单绕过。如需深入了解 JSONP 劫持、同源策略内部原理、蜜罐去匿名化以及 CORS 与 JSONP 对比,请加载配套的 SCENARIOS.md

Extended Scenarios

扩展场景

Also load SCENARIOS.md when you need:
  • JSONP hijacking complete attack scenario — watering hole + 
    <script>
    cross-origin data theft
  • Honeypot de-anonymization via JSONP — use social platform JSONP endpoints to identify anonymous visitors
  • Same-origin policy deep dive — protocol/hostname/port definition, 
    document.domain
    subdomain relaxation and its security risks
  • CORS vs JSONP technical comparison — methods, error handling, credential behavior, migration path
  • CORS exploitation payloads — reflected origin with 
    credentials: include
    , null origin via sandboxed iframe
  • Dual-site attack lab pattern — localhost:8981 (target) + localhost:8982 (attacker) testing setup
当你需要以下内容时也请加载 SCENARIOS.md
  • JSONP 劫持完整攻击场景 — 水坑攻击 + 
    <script>
    跨源数据窃取
  • 基于 JSONP 的蜜罐去匿名化 — 利用社交平台 JSONP 端点识别匿名访客
  • 同源策略深度解析 — 协议/主机名/端口定义、
    document.domain
    子域放宽规则及其安全风险
  • CORS 与 JSONP 技术对比 — 实现方式、错误处理、凭证行为、迁移路径
  • CORS 利用 payload — 携带 
    credentials: include
    的反射源、通过沙箱 iframe 实现的 null 源
  • 双站点攻击实验室模式 — localhost:8981(目标)+ localhost:8982(攻击者)测试环境搭建

1. WHEN TO LOAD THIS SKILL

1. 何时加载本 SKILL

Load when:
  • Responses contain 
    Access-Control-Allow-Origin
    , 
    Access-Control-Allow-Credentials
    , or preflight headers
  • A browser-based attack path might read authenticated API responses
  • JSON endpoints appear protected from CSRF but are readable cross-origin
符合以下场景时加载:
  • 响应包含 
    Access-Control-Allow-Origin
    Access-Control-Allow-Credentials
    或 preflight 头
  • 存在基于浏览器的攻击路径可读取已认证 API 响应
  • JSON 端点看似具备 CSRF 防护,但可被跨源读取

2. HIGH-VALUE MISCONFIGURATION CHECKS

2. 高价值配置错误检查项

ThemeWhat to Check
wildcard with credentials
Access-Control-Allow-Origin: *
plus credential support or equivalent broken behavior
reflected originserver echoes arbitrary 
Origin
weak allowlistsuffix, prefix, substring, regex, or mixed-case matching errors
null
origin		acceptance of sandboxed, file, or serialized origins
preflight trustoverbroad methods and headers
internal API exposureadmin or tenant data readable cross-origin
主题检查项
带凭证的通配符配置
Access-Control-Allow-Origin: *
搭配凭证支持或等效的错误行为
源反射服务端回显任意 
Origin
弱白名单后缀、前缀、子串、正则或大小写匹配错误
null
接受沙箱、文件协议或序列化源
preflight 信任过于宽泛的方法和头配置
内部 API 暴露管理员或租户数据可被跨源读取

3. QUICK TRIAGE

3. 快速排查步骤

  1. Send crafted 
    Origin
    headers and inspect reflection.
  2. Test with and without credentials.
  3. Probe allowlist bypasses using attacker subdomains and parser edge cases.
  4. If readable data is sensitive, chain to account or tenant impact.
  1. 发送构造的 
    Origin
    头并检查是否被回显。
  2. 在携带和不携带凭证两种场景下测试。
  3. 利用攻击者子域名和解析器边界 case 探测白名单绕过可能。
  4. 如果可读取的数据属于敏感信息,进一步验证对账户或租户的影响。

4. RELATED ROUTES

4. 相关路径

  • Session or JSON action abuse: csrf cross site request forgery
  • OAuth token leakage and callback binding: oauth oidc misconfiguration
  • API auth context: api auth and jwt abuse
  • 会话或 JSON 行为滥用:csrf cross site request forgery
  • OAuth 令牌泄露与回调绑定:oauth oidc misconfiguration
  • API 认证上下文:api auth and jwt abuse