CORS Playground

A simple web application designed to help you understand Cross-Origin Resource Sharing (CORS) security mechanisms and common misconfigurations.

Overview

CORS Playground is an intentionally vulnerable web application that demonstrates various CORS configurations and their security implications. By default, it comes with CORS configured in unsafe ways that can be easily exploited from different origins. This makes it an excellent learning tool for understanding CORS behavior, session cookie handling, and web application security.

Purpose

• Learn how CORS policies work in real-world scenarios
• Understand the interaction between CORS and cookie SameSite attributes
• Practice identifying and exploiting CORS misconfigurations
• Test different origin scenarios (same origin, subdomain, different domain, etc.)
• Experiment with various cookie security settings

Features

• Multiple CORS Modes: Switch between 6 different CORS configuration modes
• Cookie Configuration: Test different SameSite cookie attributes (None, Lax, Strict)
• Multiple Test Domains: Test CORS behavior from various origin types
• HTTPS Support: Runs over HTTPS with self-signed certificates
• Interactive UI: Web interface to test attacks from different origins
• Debug Logging: Console logs to observe CORS request/response behavior

Installation

Prerequisites

• Node.js (v14 or higher)
• npm

Setup

1. Clone the repository:

git clone <repository-url>
cd cors_playground

2. Install dependencies:

npm install

3. Configure your hosts file (/etc/hosts on macOS/Linux, C:\Windows\System32\drivers\etc\hosts on Windows):

# Domain for the CORS playground application itself
127.0.0.1 playground.cors.test

# Same level domain as playground.cors.test
127.0.0.1 project.cors.test

# Subdomain of playground.cors.test
127.0.0.1 pts.playground.cors.test

# Parent domain .com.au
127.0.0.1 pts.playground.cors.test.com.au

# Parent domain of playground.cors.test
127.0.0.1 cors.test

# A totally different domain
127.0.0.1 another.domain.com

4. Start the server:

node app.js

5. Access the application:

https://playground.cors.test:5555

Note: You may need to accept the self-signed SSL certificate warning in your browser.

Default Credentials

• Username: mduarte
• Password: Pa55w0rd1

Available Endpoints

• POST /login.html - Authentication endpoint
• GET /main_page.html - Main application page (requires authentication)
• GET / - Redirects to login or main page based on session
• GET /logout - Clears session and logs out user
• GET /api/v2/accounts - Protected API endpoint (requires authentication)
• GET /api/v1/accounts - Legacy API endpoint (intentionally unsecured for testing)
• GET /cors_attack.html - Attack demonstration page

CORS Configuration Modes

The application supports 6 different CORS modes that can be configured via the login form:

Mode 1: Allowed List (CASE1_ALLOWED_LIST)

Only origins in the allowedOrigins array are permitted:

• https://cors.test:5555
• https://pts.playground.cors.test:5555

Mode 2: Subdomain Check (CASE2_SUBDOMAINS)

Allows any subdomain matching .playground.cors.test (vulnerable to regex bypass)

Mode 3: Specific Host (CASE3_SPECIFIC_HOST)

Only allows the default app origin: https://playground.cors.test:5555

Mode 4: Any Host (CASE4_ANY_HOST)

Sets Access-Control-Allow-Origin: * (incompatible with credentials)

Mode 5: Reflect Origin (CASE5_REFLECT) - Default

Reflects whatever origin the request came from (highly vulnerable)

Mode 6: Null Origin (CASE6_NULL)

Sets Access-Control-Allow-Origin: null (exploitable from sandboxed iframes)

Cookie SameSite Attributes

The application allows testing three SameSite cookie settings:

• None: Cookie sent with all cross-site requests (requires Secure flag)
• Lax: Cookie sent with top-level navigation but not with cross-site subrequests
• Strict: Cookie only sent with same-site requests

Testing CORS Attacks

1. Log in to the application at https://playground.cors.test:5555
2. On the main page, you'll see buttons for testing CORS attacks from different origins
3. Click any button to open /cors_attack.html from a different domain
4. Use browser DevTools or a proxy (like Burp Suite) to observe:
   • Origin headers in requests
   • CORS headers in responses
   • Cookie behavior with different SameSite settings
   • Whether requests succeed or fail based on CORS policy

Example Attack Scenarios

Scenario 1: Reflect Mode with Credentials

• CORS Mode: 5 (Reflect)
• SameSite: None
• Attack from: another.domain.com
• Result: Attack succeeds, credentials sent, data leaked

Scenario 2: Subdomain Bypass

• CORS Mode: 2 (Subdomains)
• Test from domains containing .playground.cors.test
• Try bypass techniques in the origin header

Scenario 3: Wildcard with Credentials

• CORS Mode: 4 (Any Host)
• Result: Browser blocks credential sharing with wildcard origin

Security Account Data

The application contains mock sensitive account data at /api/v2/accounts:

{
  "1": {
    "username": "mduarte",
    "Full Name": "Marta Carolina Duarte Diaz",
    "Roles": "Administrator",
    "API-key": "916f4c31aaa35d6b867dae9a7f54270d"
  },
  "2": {
    "username": "jsmith",
    "Full Name": "Joseph Smith",
    "Roles": "User",
    "API-key": "71694f4302eacf0b9faeef686bc1da31"
  },
  "3": {
    "username": "ppicapiedra",
    "Full Name": "Pedro Picapiedra",
    "Roles": "Operator",
    "API-key": "e75c2b1971d188a45fe4213d9e48a52a"
  }
}

Technical Details

• Framework: Express.js 5.x (ES Modules)
• Port: 5555 (HTTPS)
• Protocol: HTTPS only
• Session Management: HttpOnly cookies
• Certificate: Self-signed (located in /cert/ directory)

Learning Resources

Understanding CORS

• CORS allows servers to specify which origins can access resources
• By default, browsers block cross-origin requests for security
• CORS headers explicitly allow certain cross-origin requests

Common Vulnerabilities

1. Reflected Origin: Reflecting any origin without validation
2. Regex Bypass: Poor subdomain validation using vulnerable regex
3. Null Origin: Trusting the null origin value
4. Legacy Endpoints: Unsecured old API versions left accessible

Best Practices

• Use explicit allowlist of trusted origins
• Never reflect origin headers without strict validation
• Avoid wildcard (*) when credentials are needed
• Validate origin against strict patterns, not regex
• Remove or secure legacy API endpoints
• Use appropriate SameSite cookie attributes
• Combine CORS policies with proper authentication

Debugging

The application includes console logging to help you understand CORS behavior:

console.log('CORS Mode:', CURRENT_CORS_MODE, ' - Origin header received:', origin_req_header);

Check your terminal/console output when making requests to see how the server processes CORS headers.

Use Cases

• Security Training: Learn about CORS vulnerabilities in a safe environment
• Penetration Testing Practice: Practice identifying and exploiting CORS issues
• Developer Education: Understand how to properly implement CORS policies
• Bug Bounty Preparation: Train for real-world CORS vulnerability discovery

Important Notes

• This application is intentionally vulnerable for educational purposes
• DO NOT deploy this application to production or public-facing environments
• Use only in isolated development/testing environments
• Self-signed certificates will trigger browser warnings (this is expected)

Troubleshooting

Certificate Errors

If you encounter SSL certificate errors:

• Accept the certificate warning in your browser
• Or generate new certificates using openssl

Hosts File Not Working

• Ensure you edited the hosts file with administrator/root privileges
• Clear your DNS cache after modifying hosts file:
  • macOS: sudo dscacheutil -flushcache
  • Windows: ipconfig /flushdns
  • Linux: sudo systemd-resolve --flush-caches

Port Already in Use

If port 5555 is already in use:

• Stop any other instances of the app
• Or modify the server_port variable in app.js

Contributing

This is an educational tool. If you have suggestions for additional CORS scenarios or improvements, feel free to contribute!

License

This project is provided for educational purposes only.

Disclaimer

This application contains intentional security vulnerabilities for educational purposes. The authors are not responsible for any misuse of this application. Use only in authorized testing environments where you have explicit permission.