☠️ CORS of Destruction: How Misconfigured Origins Let Me Read Everything

The article discusses a finding whereby the author was able to gain access to internal data due to a misconfiguration of the web API security protocol CORS (Cross-Origin Resource Sharing).
The author, amidst regular reconnaissance of a target company, discovered an interesting endpoint in a JavaScript file that referenced an API endpoint that, when given an email address, returned detailed information about that user.
Given that the targets were using the “api-secure.target.com” domain for both internal and external resources, and weren’t restricting the origins that could access their internal resources, the author was able to read data stored in another domain that should have been internal only.
Misconfigurations like these pose a significant threat to companies, and can lead to large scale breaches and exposure of critical data.
The author stresses the need for proper configuration of CORS, and ensuring that internal resources are protected, to prevent unauthorized access.

Fast Feed