FixVibe

// 探测 / 聚焦

CORS Misconfiguration

Permissive Access-Control-Allow-Origin plus credentials means your API is everyone's API.

概要

CORS is one of the trickiest security controls on the web because it inverts the usual security mental model. Same-origin policy is the browser saying 'no by default'; CORS is the server saying 'yes, but only to these origins.' Configure that 'yes' wrong and the browser gleefully hands attacker-controlled JavaScript the ability to read authenticated API responses. The bug is invisible from your application logs — it lives entirely in response headers — and it's been written into countless tutorials in the form of 'just set Access-Control-Allow-Origin to *' to make the demo work. That demo ships to production more often than anyone wants to admit.

運作方式

CORS issues appear when a site grants browser cross-origin access too broadly, especially with credentials. That can let another origin read data that was meant to stay within the application.

影響范圍

Cross-origin authenticated data exfiltration. The victim visits `attacker.tld`. JavaScript on `attacker.tld` issues a `fetch('https://yourapi.com/me', { credentials: 'include' })`. The browser attaches the victim's session cookie. Your API responds with their data. CORS misconfiguration says 'this origin can read it,' so attacker JS reads the body and exfiltrates. The user never knew anything happened. Account data, billing info, message history — anything reachable from a logged-in session is on the table.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Maintain an explicit allowlist of trusted origins. The right shape: a `Set<string>` of canonical origins, with an exact-match check before echoing into `Access-Control-Allow-Origin`. The wrong shape: any code path that touches `req.headers.origin` and uses regex. Never combine `Allow-Credentials: true` with a wildcard origin (the spec rejects it but custom middleware sometimes ignores the spec). Reject `Origin: null` outright unless you have a specific cross-origin sandbox use case, in which case audit it carefully. Use the same CORS configuration in dev, staging, and production — drift between environments is where the prod bugs come from. For new APIs, default to no-CORS and add origins one at a time. As a sanity check, attempt a `fetch('https://yourapi.com/me', { credentials: 'include' })` from `https://example.com`'s console — if you can read the response body, you have a finding.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

主動探測
127
本類别中触發的测試
模塊
48
專属 主動探測 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

CORS Misconfiguration — 漏洞聚焦 | FixVibe · FixVibe