OWASP A02 · Security MisconfigurationCWE-942 Permissive Cross-domain PolicyHigh
CORS — wildcard origin with credentials
Reflecting the Origin (or *) while allowing credentials lets any site read authenticated responses.
What happened
A common misconfiguration: an API reflects whatever Origin it's given and sets Access-Control-Allow-Credentials: true. Now attacker.com can make the victim's browser send its cookies and read the response — a cross-origin data leak. Benteng's site scanner sends a preflight from a fake origin to catch exactly this.
The code
✕ Vulnerable — CORS
res.setHeader("Access-Control-Allow-Origin", req.headers.origin); // reflected
res.setHeader("Access-Control-Allow-Credentials", "true"); // + creds = leak✓ Fixed — CORS
const ALLOW = new Set(["https://app.example.com"]);
if (ALLOW.has(req.headers.origin)) {
res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
res.setHeader("Vary", "Origin");
res.setHeader("Access-Control-Allow-Credentials", "true");
} // never combine * (or reflection) with credentialsReferences
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.