From penetration-tester
Audits target CORS posture for origin reflection, credentials/wildcard mismatch, missing Vary header, and preflight caching issues. Triggers: 'audit cors', 'check cors policy'.
How this skill is triggered — by the user, by Claude, or both
Slash command
/penetration-tester:auditing-cors-policyThis skill is limited to the following tools:
These tools are removed from Claude's available pool while this skill is active:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
CORS misconfiguration is one of the most common middle-severity findings
CORS misconfiguration is one of the most common middle-severity findings
in web bug bounties. The browser-enforced rules are subtle, the failure
modes are silent (the wrong cors response just works until an attacker
weaponizes it), and the "fix" engineers reach for —
Access-Control-Allow-Origin: * — opens the very class of attacks CORS
was meant to prevent when paired with credentials.
This skill probes each common CORS misconfiguration with synthetic Origin headers and grades the response.
| Finding | Severity | Threshold | Affected control |
|---|---|---|---|
| Origin reflected without validation | HIGH | Synthetic Origin https://attacker.example echoed in Allow-Origin | OWASP A05:2021 |
| Allow-Credentials:true with wildcard Allow-Origin | CRITICAL | Browser rejects but server is asserting the worst combo | OWASP A05:2021 |
| Allow-Credentials:true with reflected Origin | CRITICAL | Attacker site can read authenticated responses cross-origin | OWASP A05:2021, CWE-942 |
| Subdomain wildcard pattern bypass | HIGH | Allow-Origin: *.example.com matches attacker.example.com.evil.com | CWE-942 |
| Missing Vary:Origin on per-origin response | MEDIUM | CDN caches one origin's response for all origins | RFC 7234 |
| Preflight cache > 86400s | LOW | Access-Control-Max-Age over 24h limits revocation agility | MDN best practice |
| Null Origin trusted | HIGH | Allow-Origin: null accepted (sandboxed iframes, data: URLs) | CWE-942 |
| All HTTP methods permitted | MEDIUM | Allow-Methods: * enables CSRF-via-CORS for state-change | OWASP A05:2021 |
requests library)../analyzing-tls-config/references/AUTHORIZATION.md)"Do you have authorization to perform CORS testing on this target?
I need confirmation before proceeding."
python3 ${CLAUDE_PLUGIN_ROOT}/skills/auditing-cors-policy/scripts/audit_cors.py \
https://api.example.com/endpoint \
--authorized
Options:
Usage: audit_cors.py URL [OPTIONS]
Options:
--authorized Attest authorization for non-local targets (required)
--output FILE Write findings to FILE
--format FMT json | jsonl | markdown (default: markdown)
--min-severity SEV (default: info)
--timeout SECS Per-probe timeout (default: 10)
--method METHOD HTTP method for the main probe (default: GET)
The scanner sends multiple probes per target:
For each, it records the response's CORS headers and grades against the threshold table above.
CRITICAL = credential-stealing chain available; ship same-day fix. HIGH = arbitrary cross-origin read of public-but-sensitive content; ship within sprint. MEDIUM/LOW = posture hardening; backlog.
If CORS findings land alongside auth findings (skill #20 confirming- pentest-authorization would have caught the auth side at engagement
scope), suggest authentication-validator plugin for full session-
handling audit.
User: "Bug bounty submission claims CORS bypass on /api/profile."
python3 ${CLAUDE_PLUGIN_ROOT}/skills/auditing-cors-policy/scripts/audit_cors.py \
https://api.example.com/profile \
--authorized \
--format json | jq '.[] | select(.severity == "critical" or .severity == "high")'
If the reflected-origin probe + Allow-Credentials:true both fire, the
submission is valid; pay the bounty and ship the fix from PLAYBOOK.md.
User: "We're rolling out a new gateway — audit every endpoint's CORS posture."
for ENDPOINT in $(cat endpoints.txt); do
python3 ${CLAUDE_PLUGIN_ROOT}/skills/auditing-cors-policy/scripts/audit_cors.py \
"$ENDPOINT" --authorized --min-severity high --format jsonl >> cors-audit.jsonl
done
jq -s 'group_by(.severity) | map({sev: .[0].severity, count: length})' cors-audit.jsonl
Drop into deploy gate:
- name: CORS posture gate
run: |
python3 plugins/security/penetration-tester/skills/auditing-cors-policy/scripts/audit_cors.py \
https://staging-api.example.com/auth \
--authorized \
--min-severity high
Exit 1 fails the deploy if any new high/critical lands.
JSON / JSONL / Markdown per lib/report.py. Exit 0 clean, 1 high/
critical, 2 error.
references/THEORY.md — How CORS works, why each finding mattersreferences/PLAYBOOK.md — Allow-list config templates per server
type / framework (nginx, Express, Spring, FastAPI, Rails)../analyzing-tls-config/references/AUTHORIZATION.md — Active-scan
authorization patternnpx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin penetration-tester2plugins reuse this skill
First indexed Jul 18, 2026
Verifies CORS policy enforcement by testing origin reflection, null origin, subdomain bypass, wildcard-with-credentials, and preflight correctness using targeted curl and browser tests.
Validates CORS configurations in web apps/APIs for security misconfigurations like wildcard origins, origin reflection, permissive methods/headers.
Identifies exploitable CORS misconfigurations: origin reflection, null-origin trust, subdomain-regex bypasses, pre-flight gating, and postMessage flaws. Use when testing API endpoints or SPAs emitting Access-Control-* headers.