https://www.youtube.com/watch?v=wgkj4ZgxI4c

Exploiting trust: Weaponizing permissive CORS configurations

• Permissive CORS if often not just a recommendation and cases are still out there
• Arbitrary subdomain reflection still isn’t secure
• Permissive CORS can hide from scan checks when applications trust domains other than their own
• Internal application should be carefully assessed for permissive CORS, including use of the wildcard
• Multi-step proof-of-concepts are viable and powerful

…

To complement this methodology, I have created a Burp extension that will check for all the bypasses mentioned in this research, as well as those included in PortSwigger’s recently released URL validation bypass cheat sheet. Additionally, the extension can be used to quickly check if any given endpoint has a hidden trusted domain. If any domains appear to be trusted, the extension will automatically attempt to use the previously mentioned bypasses to check for permissive CORS issues.

Alternatively, you can check for trusted domains manually using intruder:

1. Take all domains in-scope for your test and run tools like subfinder against them to build a list of domains and subdomains that are likely to be considered “trusted”
2. Send an endpoint that you want to test for Permissive CORS to intruder in Burp Suite and add an “Origin” header with placeholders like this Origin: https://§outpost24.com§
3. Uncheck “URL-encode these characters” in the intruder settings
4. Run the script, and filter for the “Access-Control-Allow-Origin” header

Once you have a list of trusted domains that respond with “Access-Control-Allow-Origin” headers, you can test the normal “Origin” header bypasses to attempt to gain arbitrary domain reflection.