CORS Misconfiguration

Cross-Origin Data Exposure • Advanced

CORS ✓ Completed

Secure Mode• show fix Session• Cookie Recruiter• Mode

Objective: Read sensitive API data from another origin.

Try: Send a request from an untrusted origin.

🌐 Design: CORS is context. Origin decides what the browser lets scripts read.

Everything here is simulated and sandboxed to this site—no real accounts, no real services.

Demo How it works Issue Exploit Fix Video

1) Demo

Here is the feature “working” as implemented in this mode.

App Output

Request Origin

https://evil.example

This is where the browser says the request came from.

Server CORS Response

Access-Control-Allow-Origin: *

Insecure mode uses * (overly permissive).

API Data

{ "ok": true, "plan": "Premium", "playlists": 12 }

✅ Untrusted origin still received sensitive data (simulated).

Response

Status: 200 OK Response Headers: Access-Control-Allow-Origin: *

2) How the code works

This section shows the mental model: what the server is “thinking”.

setACAO("*"); // unsafe with credentials/sensitive data

3) The issue

Overly permissive CORS can expose sensitive API responses cross-origin.

Real-world impact: A malicious site can read your users’ data in their browser context.

4) Exploit it

Edit the raw request below. You can change method, path/query, headers, and body. Then send it. The server will parse what you typed and re-run the simulation.

Request Editor

Tip: For secure mode tests, add a cookie like: Cookie: session=1; role=Admin

Parsed View (what the server read)

method: GET path: /api/profile headers: host: kylerburke.dev origin: https://evil.example body: (empty)

Exploit Editor Hidden (Recruiter Mode)

This mode is designed for sharing your portfolio. It focuses on clear explanation, real-world impact, and fixes—without interactive exploitation.

Want to demo the exploit? Turn Recruiter Mode off and use the Request Editor.

5) Fix

Secure Mode shows the fix behavior. Flip modes and send the same request.

Allowlist trusted origins; never use * for sensitive endpoints.

Video

Short visual explanation to match what you just did.

Swap the YouTube ID in the Worker to pick a different explainer video for this vulnerability.