CORS Misconfiguration Tester
Last updated:
Sends crafted requests with various Origin headers to the current site to detect dangerous CORS misconfigurations. Tests for reflected origins, null origin acceptance, subdomain wildcards, prefix/suffix bypasses, and credential leakage. Replicates Burp Suite Pro CORS audit ($449/yr).
Drag to your bookmarks bar:
🔓 Test CORSRuns on any website — all processing in your browser.
Install the bookmarklet, then use it on any website
CORS Misconfiguration Tester
Cross-Origin Resource Sharing (CORS) controls which domains can make requests to a website. Misconfigurations — such as reflecting any origin or accepting null origins with credentials — allow attackers to steal sensitive data from authenticated users.
Common Misconfigurations
Reflected origin (echoing back any Origin header), null origin acceptance (exploitable via sandboxed iframes), overly permissive wildcards, and HTTP origin downgrade attacks. This tool tests all of these automatically.
- CORS
- Cross-Origin Resource Sharing — a browser security mechanism that controls cross-domain HTTP requests. Misconfigurations are a common web vulnerability.
🔓 CORS Misconfiguration Tester — FAQ
What is a reflected origin?
When a server echoes back whatever Origin header it receives in Access-Control-Allow-Origin. This means ANY website can read the response.
Is wildcard (*) always dangerous?
Wildcard ACAO prevents credentials from being sent, which limits the impact. But it still allows any site to read public responses.
Can this test API endpoints?
It tests the current page URL. For API endpoints, navigate to the API URL first, then click the bookmarklet.
What is a null origin attack?
Sandboxed iframes and data: URIs send Origin: null. If a server accepts null origin with credentials, attackers can exploit this.
Does this send malicious requests?
It sends standard GET requests with different Origin headers. This is passive testing — no payloads or exploitation attempts.