Add CORS misconfiguration skill (vulnerabilities)#615
Conversation
Greptile SummaryThis PR adds a new vulnerability skill document (
Confidence Score: 5/5Documentation-only addition with no runtime code changes; safe to merge. The change is a single new Markdown skill document with no effect on executable code, tests, or configuration. The technical content is accurate — origin reflection mechanics, null-origin exploitation via sandboxed iframes, bypass patterns for common validator mistakes, wildcard semantics, and the Vary: Origin cache-poisoning vector are all described correctly and consistently with browser and HTTP spec behavior. The structure and depth match existing peer skills. No files require special attention. Important Files Changed
Reviews (2): Last reviewed commit: "Add Vary: Origin cache-poisoning vector ..." | Re-trigger Greptile |
|
Thanks for the thorough review! Good catch on the
Let me know if you'd like any further adjustments. |
Add CORS Misconfiguration skill (vulnerabilities)
This adds a new skill:
strix/skills/vulnerabilities/cors_misconfiguration.md.Why
The vulnerabilities skill set covers XSS, SSRF, CSRF, SSTI, IDOR, and more, but there is no dedicated CORS misconfiguration skill. CORS misconfiguration is a distinct, high-impact vulnerability class:
The existing
csrfskill mentions CORS only in passing, so agents lack a focused playbook for detecting and validating it.What's included
Following the existing skill format (YAML frontmatter + structured sections), the skill covers:
null/ subdomain probes and weakness signals)nullorigin trust, weak validation (prefix/suffix/substring/unanchored-regex bypasses), wildcard exposure, trusted-origin compromisefetch(..., {credentials:'include'})PoCsNotes
open_redirect.md,csrf.md).