Cross origin resource sharing (CORS)

Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.

-- Wikipedia

Same-origin policy (SOP)

  • SOP is a web browser security mechanism

  • Restricts scripts to access data from other origins

  • Some objects are only write- or readable

See also PortSwigger - Web Security Academy - Same-origin policy (SOP).

Access-Control-Allow-Origin header (ACAO)

Provides controlled relexation of SOP.

See also PortSwigger - Web Security Academy - CORS and the Access-Control-Allow-Origin response header.


  1. Check for responses containing the Access-Control-Allow-Credentials header and the value being set to true

  2. Resubmit the request using a random or Origin header

  3. Check that that origin is reflected in the Access-Control-Allow-Origin repsonse header

  4. Craft malicious code that requests that data and sends the response to a server you control. Then deliver the code to the victim.

Null origin

Try the same using null as value in the request Origin header.

Last updated