Found a CORS Misconfiguration Using Burp Suite (Got a P5)
作者在深夜使用Burp Suite发现了一个CORS配置错误,尽管初步看起来可能严重,但实际影响较低。通过手动添加自定义Origin头并测试API响应,确认了CORS配置允许跨域请求并支持凭证。然而,经过进一步调查发现暴露的数据均为公共信息(如产品数据和博客内容),并无敏感数据或用户特定信息。最终报告中详细说明了问题,并获得团队快速修复和认可。 2025-7-12 13:40:7 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

AAKASH SHARMA

Finding Bug …….

While hunting for bugs during a late-night session, I came across a CORS misconfiguration using just Burp Suite.
At first, I thought it could be serious, but after digging deeper, the impact was low — and that’s why it was marked as a P5.

Still, I wanted to share the experience because even these “small” findings are worth it.

Let’s Go

I was doing basic recon on one of the assets from a private program.
Nothing fancy — just manual testing with Burp.

While checking the API responses, I noticed the server was setting the following header:

Access-Control-Allow-Origin: *

That immediately caught my eye.
I decided to test it further using Burp Repeater.

I manually added a custom Origin header like:

Origin: https://evil.com

And when the response came back, my Origin was reflected.
Plus, I noticed:

Access-Control-Allow-Credentials: true

Not gonna lie, that got me a little excited at first.
Because if sensitive data was available, this could be abused.

The next step was to check what kind of data was actually accessible.

I spent some time browsing through different endpoints.
Here’s what I found:

  • Public product data
  • Public blog content
  • Some generic API responses

No user-specific information.
No emails.
No auth tokens.
No PII.

In short: the CORS policy was badly configured, but there was no sensitive data exposure.

I prepared a clear report, including:

Steps to reproduce (very simple — custom Origin header)

Screenshots from Burp showing the behavior

Explanation of potential risks if sensitive data was ever added behind these APIs

The team responded pretty quickly.

They marked it as a P5 (low severity), awarded a HOF, and fixed the misconfiguration.

Honestly, the reasoning checks out:

  • There was no sensitive data exposed.
  • No account takeover or meaningful exploitation was possible.
  • . The bug itself didn’t pose any direct threat — and it would need several unlikely conditions (like hitting a sensitive endpoint) to even start becoming dangerous.

In its current state, it was a low impact issue.

{Not every bug will be a P1 or a big payout, and that’s okay.
Even smaller findings like this help make the internet a little safer — and they add up over time}

On to the next hunt 🔥

Good BY…..

文章来源: https://infosecwriteups.com/found-a-cors-misconfiguration-using-burp-suite-got-a-p4-c212289f9592?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh