← All Labs
CORS Misconfiguration — Origin Reflection
BankAPI's CORS handler reflects the Origin header into Access-Control-Allow-Origin AND sends Access-Control-Allow-Credentials: true. That's the worst possible CORS combination — an attacker site can read authenticated API responses. Steal the user's account data.