← Benteng/case studies
OWASP A02 · Security MisconfigurationCWE-942 Permissive Cross-domain PolicyHigh

CORS — wildcard origin with credentials

Reflecting the Origin (or *) while allowing credentials lets any site read authenticated responses.

What happened

A common misconfiguration: an API reflects whatever Origin it's given and sets Access-Control-Allow-Credentials: true. Now attacker.com can make the victim's browser send its cookies and read the response — a cross-origin data leak. Benteng's site scanner sends a preflight from a fake origin to catch exactly this.

The code

✕ VulnerableCORS
res.setHeader("Access-Control-Allow-Origin", req.headers.origin); // reflected
res.setHeader("Access-Control-Allow-Credentials", "true");        // + creds = leak
✓ FixedCORS
const ALLOW = new Set(["https://app.example.com"]);
if (ALLOW.has(req.headers.origin)) {
  res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
  res.setHeader("Vary", "Origin");
  res.setHeader("Access-Control-Allow-Credentials", "true");
} // never combine * (or reflection) with credentials
→ Detect this class with CORS analyzer

References

Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.