The Complete Guide to CORS (In)Security

The Complete Guide to CORS (In)Security

DATE: 28 August 2018

UPDATED ON: 28 January 2020

The guide attached to this article aims to collect all the techniques, from the basics to the advanced ones, to attack and protect Cross-Origin Resource Sharing (CORS).

What's new?

In the last update (version 1.1), published on January 2020, two new technique to exploit CORS misconfiguration have been added:

  • Using insecure protocol
  • Using the browser cache

Another update concerned the special chars supported by the main browsers.

Some minor updates and typo corrections close the list of changes.

Who should read this guide?

This guide is directed to a large audience: web administrators, developers, penetration testers, bug bounty hunters, and more in general to security professionals.

Inside this guide the reader will find:

  • A brief introduction to the Same Origin Policy and Cross-Origin Resource Sharing (CORS)
  • Main techniques, from basic to advanced ones, to attack an application with CORS enabled
  • General guidelines to implement CORS securely

Be sure to develop secure apps. BeDefended.

Thanks for reading.

Read the full paper.



We are good at writing, but much better
in ensuring your Business Security