Back to CORSCORS 10: Weak Origin Validation
Goal: pass an attacker origin through a weak substring-based trust check.
Hints
- The validator only checks whether the trusted string appears anywhere.
- Subdomains and suffix tricks matter here.
- Think of an origin that contains the trusted brand but is still attacker-controlled.
Why this works
Substring matching is not origin validation. Attackers can register lookalike domains that contain the trusted string and still pass the check.