Found a CORS Misconfiguration Using Burp Suite (Got a P5)

Finding Bug …….

While hunting for bugs during a late-night session, I came across a CORS misconfiguration using just Burp Suite.
At first, I thought it could be serious, but after digging deeper, the impact was low — and that’s why it was marked as a P5.

Still, I wanted to share the experience because even these “small” findings are worth it.

Let’s Go

I was doing basic recon on one of the assets from a private program.
Nothing fancy — just manual testing with Burp.

While checking the API responses, I noticed the server was setting the following header:

Access-Control-Allow-Origin: *

That immediately caught my eye.
I decided to test it further using Burp Repeater.

I manually added a custom Origin header like:

Origin: https://evil.com

And when the response came back, my Origin was reflected.
Plus, I noticed:

Access-Control-Allow-Credentials: true

Not gonna lie, that got me a little excited at first.
Because if sensitive data was available, this could be abused.

The next step was to check what kind of data was actually accessible.

I spent some time browsing through different endpoints.
Here’s what I found:

Public product data
Public blog content
Some generic API responses

No user-specific information.
No emails.
No auth tokens.
No PII.

In short: the CORS policy was badly configured, but there was no sensitive data exposure.

I prepared a clear report, including:

Steps to reproduce (very simple — custom Origin header)

Screenshots from Burp showing the behavior

Explanation of potential risks if sensitive data was ever added behind these APIs

The team responded pretty quickly.

They marked it as a P5 (low severity), awarded a HOF, and fixed the misconfiguration.

Honestly, the reasoning checks out:

There was no sensitive data exposed.
No account takeover or meaningful exploitation was possible.
. The bug itself didn’t pose any direct threat — and it would need several unlikely conditions (like hitting a sensitive endpoint) to even start becoming dangerous.

In its current state, it was a low impact issue.

{Not every bug will be a P1 or a big payout, and that’s okay.
Even smaller findings like this help make the internet a little safer — and they add up over time}

On to the next hunt 🔥

Good BY…..