Back to CORSCORS 00: Origin Reflection
Goal: get the API to allow an untrusted origin while credentials are enabled.
Hints
- The API reflects whatever Origin it receives.
- Credentials are allowed too, which is the dangerous combination.
- You win by making the allow-origin header point to an attacker origin.
Why this works
Reflecting arbitrary origins while allowing credentials lets attacker sites read sensitive authenticated responses from victim browsers.