Skip to content

Add CORS misconfiguration skill (vulnerabilities)#615

Open
ViperDroid wants to merge 2 commits into
usestrix:mainfrom
ViperDroid:add-cors-skill
Open

Add CORS misconfiguration skill (vulnerabilities)#615
ViperDroid wants to merge 2 commits into
usestrix:mainfrom
ViperDroid:add-cors-skill

Conversation

@ViperDroid

Copy link
Copy Markdown

Add CORS Misconfiguration skill (vulnerabilities)

This adds a new skill: strix/skills/vulnerabilities/cors_misconfiguration.md.

Why

The vulnerabilities skill set covers XSS, SSRF, CSRF, SSTI, IDOR, and more, but there is no dedicated CORS misconfiguration skill. CORS misconfiguration is a distinct, high-impact vulnerability class:

  • CSRF abuses ambient authority to send state-changing requests.
  • CORS misconfiguration lets a malicious origin read authenticated cross-origin responses (PII, tokens, CSRF tokens, API keys).

The existing csrf skill mentions CORS only in passing, so agents lack a focused playbook for detecting and validating it.

What's included

Following the existing skill format (YAML frontmatter + structured sections), the skill covers:

  • Attack surface and high-value targets
  • Reconnaissance (Origin reflection / null / subdomain probes and weakness signals)
  • Key vulnerabilities: origin reflection + credentials, null origin trust, weak validation (prefix/suffix/substring/unanchored-regex bypasses), wildcard exposure, trusted-origin compromise
  • Exploitation scenarios with working fetch(..., {credentials:'include'}) PoCs
  • Testing methodology, validation steps, false positives, impact, pro tips

Notes

  • Docs/skill only — no code changes, so it does not affect tests, linting, or type checks.
  • Matches the structure and depth of existing skills (e.g. open_redirect.md, csrf.md).

@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a new vulnerability skill document (strix/skills/vulnerabilities/cors_misconfiguration.md) for CORS misconfiguration testing, filling a gap in the existing skill set. No code is changed.

  • Covers the full attack surface: origin reflection + credentials, null-origin trust, weak validation bypasses (prefix/suffix/substring/regex), wildcard exposure, and missing Vary: Origin cache-poisoning — each with reconnaissance signals, PoC fetch snippets, and validation steps.
  • Follows the established YAML frontmatter + section structure of existing skills like csrf.md and open_redirect.md, and correctly distinguishes CORS misconfiguration from CSRF in the intro.

Confidence Score: 5/5

Documentation-only addition with no runtime code changes; safe to merge.

The change is a single new Markdown skill document with no effect on executable code, tests, or configuration. The technical content is accurate — origin reflection mechanics, null-origin exploitation via sandboxed iframes, bypass patterns for common validator mistakes, wildcard semantics, and the Vary: Origin cache-poisoning vector are all described correctly and consistently with browser and HTTP spec behavior. The structure and depth match existing peer skills.

No files require special attention.

Important Files Changed

Filename Overview
strix/skills/vulnerabilities/cors_misconfiguration.md New skill document covering CORS misconfiguration detection and exploitation; technically accurate with well-structured sections matching existing skill conventions

Reviews (2): Last reviewed commit: "Add Vary: Origin cache-poisoning vector ..." | Re-trigger Greptile

Comment thread strix/skills/vulnerabilities/cors_misconfiguration.md
@ViperDroid

Copy link
Copy Markdown
Author

Thanks for the thorough review! Good catch on the Vary: Origin cache-poisoning vector — it's a genuinely distinct attack surface. I've pushed an update that adds it to:

  • Reconnaissance (weakness signal: reflection with missing Vary: Origin)
  • Key Vulnerabilities (new "Missing Vary: Origin (Cross-Origin Cache Poisoning)" subsection with the CDN/reverse-proxy replay scenario)
  • Testing Methodology (a cache-poisoning probe step)
  • False Positives (clarifying that reflection without Vary: Origin isn't automatically safe)

Let me know if you'd like any further adjustments.

@bearsyankees

Copy link
Copy Markdown
Collaborator

@greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants