CORS Checker

Cross-Origin Resource Sharing Analyzer

"Tests for CORS misconfigurations that allow malicious sites to read your API responses."

What it does

CORS (Cross-Origin Resource Sharing) controls which websites are allowed to make cross-origin requests to your API. A misconfigured CORS policy can allow any website on the internet to make authenticated requests to your API and read the responses — effectively allowing attackers to steal data from your users.

The most dangerous misconfigurations are: allowing all origins with credentials, reflecting the request's Origin header back without validation, and allowing null origins. This tool sends targeted requests that test for these patterns specifically.

Example findings

CRITICALCORS — Arbitrary Origin Reflected with Credentialscors

HIGHCORS — Null Origin Accepted (Sandboxed Iframe Attack)cors

HIGHCORS — Wildcard Origin with Credentials Enabledcors

MEDIUMCORS — Overly Broad Origin Pattern Acceptedcors

← Back to all tools ▶ Scan with CORS Checker

What it finds

▸Wildcard CORS with credentials enabled (critical misconfiguration)
▸Origin reflection without validation
▸Null origin accepted (exploitable from sandboxed iframes)
▸Overly permissive CORS headers on sensitive endpoints

Works well with

Headers →HTTPX →Nuclei →