Dotwut.io

CORS Misconfigurations in AWS

CORS attack chain diagram

CORS misconfigurations show up constantly in AWS environments, usually on API Gateway or on web applications sitting behind CloudFront. The pattern is almost always the same: a wildcard or overly permissive Access-Control-Allow-Origin header that lets any origin make cross-origin requests to an authenticated endpoint.

The thing that makes CORS misconfigs interesting in AWS specifically is what is on the other side of that API. If a misconfigured CORS policy is on an API Gateway endpoint that returns credentials, session tokens, or account data, you are looking at a meaningful impact finding, not just a theoretical one.

What to Look For

The two most common patterns I see. The first is a wildcard origin response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

This combination is actually invalid per the spec since browsers will not send credentials to a wildcard origin, but some implementations have logic bugs that still reflect credentials. Worth testing manually regardless.

The more dangerous pattern is origin reflection:

Request:
Origin: https://evil.com

Response:
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true

When the server reflects whatever origin you send back and also allows credentials, that is the full exploit chain. A malicious page can make authenticated cross-origin requests on behalf of a logged-in victim.

Testing It

In Burp, add an Origin header to any request and check whether the response reflects it back in Access-Control-Allow-Origin. If it does, check for Access-Control-Allow-Credentials: true. If both conditions are met, you have a real finding.

AWS-Specific Context

On API Gateway, CORS is configured at the resource level and it is easy to misconfigure. The console has a one-click Enable CORS option that sets * by default. A lot of developers hit that and move on without thinking about what is behind the endpoint.

On CloudFront, origin headers can get stripped or modified depending on the cache behavior config, which sometimes masks the misconfiguration from automated scanners. Test manually.

Severity typically lands medium unless you can demonstrate a meaningful impact with credentials, in which case high is defensible.