Home Tools Pricing API Docs About Sign in Get started

CORS Misconfig Tester

Recon & Discovery

Probe a target’s CORS behavior with a spoofed Origin to find credential-exposing misconfigurations.

What is CORS Misconfig Tester?

CORS Misconfig Tester sends requests with crafted Origin headers and inspects how the server responds in Access-Control-Allow-Origin (ACAO) and Access-Control-Allow-Credentials (ACAC). Permissive combinations can let any site read authenticated responses.

It checks the dangerous patterns testers care about — reflected origins, null origin, and wildcard-with-credentials — and explains the impact of each.

What it tests

Reflected origin — does the server echo an arbitrary Origin into ACAO?
Credentialed wildcard — ACAO with ACAC: true, the classic data-exfiltration setup.
Null origin — acceptance of Origin: null, reachable from sandboxed iframes.
Pre-flight behavior — how the server handles OPTIONS and allowed methods/headers.
SSRF-safe — the target is validated before any request.

Where it fits in your workflow

→Confirm whether a cross-origin data-theft scenario is actually exploitable.
→Demonstrate impact for an authenticated API endpoint.

Use CORS Misconfig Tester

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryRecon & Discovery

RunsServer-side

Token cost 3 / run (free tier)

AccessPro

Status● Live

Frequently asked questions

Does a reflected origin always mean a vulnerability?

Not always — impact depends on whether credentials are allowed and the endpoint returns sensitive data. The tool flags the configuration; you confirm the data exposure.

Explore more tools →