API Securitycorsapi-securitymisconfigurationinformation-disclosureaccess-control

Nine Hosts, One Wildcard, Zero Access Control

high

April 14, 2026

9 min read

Severityhigh

CVSS0.0

AttackAPI Security

Nine Hosts, One Wildcard, Zero Access Control

The engagement covered the full external attack surface of a media infrastructure company. The company operated a platform used by broadcasters and content distributors to manage live streaming workflows — channel scheduling, playout automation, distribution routing, and the monitoring interfaces that tied all of it together. Most of the interesting infrastructure lived in subdomains: dozens of API hosts, administrative interfaces, monitoring dashboards, and internal tooling that had been exposed to the internet, intentionally or otherwise, over years of growth.

Subdomain enumeration returned a long list. I worked through it methodically — resolving each hostname, checking what was listening, identifying which hosts accepted unauthenticated connections, and categorizing the remainder by what authentication they required.

By the time I reached the API hosts, I had already found several issues worth documenting. What I had not expected was to find the same misconfiguration, identically configured, across nine separate API subdomains.

The First Host

The first indication came from a routine check I run against any API endpoint: sending a request with a fabricated Origin header and examining what comes back.

http

GET /api/v2/channels HTTP/1.1
Host: api-prod.example.com
Authorization: Bearer <test_token>
Origin: https://attacker.example

The response:

http

HTTP/1.1 200 OK
Content-Type: application/json
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type, X-Requested-With
 
{"channels": [...], "total": 47, "account_id": "..."}

A wildcard CORS policy on an endpoint that returned channel configuration, account identifiers, and operational data. Not a public informational endpoint. An authenticated endpoint that the application treated as sensitive.

The wildcard header told browsers — all browsers, for all origins — that the response content could be read by cross-origin JavaScript. The authorization check on the backend was intact; the token was still required. But the CORS policy negated any protection that same-origin enforcement would otherwise provide to clients holding valid tokens.

Checking the Adjacent Hosts

Finding one misconfigured host always raises the question of whether adjacent infrastructure shares the same configuration. In a large deployment, consistent misconfiguration across many hosts typically means the configuration came from a shared template — a Terraform module, a Kubernetes ConfigMap, an Nginx configuration block applied uniformly. Individual host-by-host misconfiguration of this kind is unusual.

I had enumerated seventeen API-pattern subdomains during the initial discovery phase. I ran the same CORS probe against each of them.

Nine returned the wildcard header.

The nine hosts were not a random selection. They corresponded to the company's primary production API clusters — the hosts that actual clients used to interact with the platform. The remaining eight hosts either did not serve CORS headers at all, returned more restrictive policies, or were infrastructure hosts that did not expose API endpoints.

The pattern made the root cause clear: the wildcard policy came from a shared ingress configuration applied to the production API tier. All nine hosts inherited it. Every endpoint on every host was affected.

What the Endpoints Returned

The scope of the misconfiguration mattered as much as its presence. A wildcard CORS policy on endpoints that return only publicly available information is low severity — the same data is accessible without CORS. The severity scales with what the affected endpoints return to authenticated requests.

I catalogued the endpoint categories across the nine hosts by examining API documentation referenced in JavaScript source, response structures from authenticated requests, and the naming patterns of API paths.

The affected endpoints included:

Account and user data. Endpoints returning account profile information, associated email addresses, subscription tier, and billing contact details. The response structure was consistent with data the application used to populate user-facing dashboard views.

Channel and broadcast configuration. Endpoints returning full channel definitions — playout schedules, source configurations, output stream specifications, and associated distribution targets. For a broadcast infrastructure platform, channel configuration is operationally sensitive: it describes exactly how content is being delivered and to where.

Access credentials and token metadata. Endpoints returning information about active API tokens, including creation timestamps, scope assignments, and last-use data. Not the raw token values, but the metadata structure that maps tokens to their permissions and associated accounts.

Internal service routing. Endpoints returning internal endpoint addresses and service identifiers used by the platform's own components for inter-service communication. The values were not credentials, but they described the internal topology in sufficient detail to be useful for understanding where subsequent requests should be directed.

Each of these categories represented data that an authenticated client holding a valid token had legitimate access to. The issue was not that the data was accessible to authenticated requests — that was intended. The issue was that the CORS policy permitted that data to be read by JavaScript running on any external page, provided that page could include the client's token in the request.

The Exploitable Scenario

Demonstrating exploitability required constructing a scenario where a victim who held a valid API token visited an attacker-controlled page, and that page used cross-origin requests to extract data from the affected endpoints.

The realistic trigger was straightforward for this class of API customer. The platform issued API tokens to broadcasters and content distribution partners — organizations, not just end users. Partner developers who held tokens would have them available in their browser environments, authentication flows, or local development setups. A targeted attack could reach these individuals through any number of vectors: phishing, malicious redirects from a compromised resource, or social engineering through apparent customer communication.

A proof-of-concept page on a domain I controlled made a cross-origin request to one of the affected hosts using a token I held for my own test account:

javascript

fetch('https://api-prod.example.com/api/v2/channels', {
  headers: {
    'Authorization': 'Bearer ' + storedToken,
    'Content-Type': 'application/json'
  }
})
.then(r => r.json())
.then(data => {
  // data contains authenticated API response
  document.getElementById('output').textContent = JSON.stringify(data);
});

The request succeeded. The browser received a 200 with full response body and exposed it to the JavaScript, because the Access-Control-Allow-Origin: * header explicitly authorized it. The same-origin policy, which would have blocked this in the absence of a permissive CORS header, had nothing to enforce.

The distinction from cookie-authenticated systems is worth being precise about. When an API uses cookies for authentication and a client sets withCredentials: true in the cross-origin request, browsers refuse to expose the response if the CORS policy is a wildcard — the combination of wildcard and credentials is rejected by the browser. This protection did not apply here. The API used Bearer tokens in the Authorization header. No withCredentials flag was needed. The token traveled in the header, the wildcard CORS policy permitted the response to be read, and the browser complied.

Scope and Configuration Root Cause

Working backwards from the nine affected hosts to their configuration source required examining what infrastructure managed the API tier's ingress.

The company used a Kubernetes-based deployment. The API hosts were backed by ingress resources pointing to API service pods. The CORS header appeared uniformly in responses, consistently formatted, across all nine hosts — which indicated the header was being added at the ingress layer rather than by the application code.

A configuration block added to the shared ingress definition for the API tier, applying CORS headers globally, explained both the consistency and the scope. Every endpoint on every host routed through that ingress definition inherited the wildcard policy.

The consequence of the root cause was also the remediation path. Rather than hunting down nine separate configurations, fixing one ingress definition would correct all nine hosts simultaneously. The wildcard needed to be replaced with an explicit allowlist: the actual client origins that the API was intended to serve — the domains of the company's own web applications and the registered origins of known partner integrations.

Remediation

The ingress CORS configuration was replaced with an explicit allowlist of permitted origins. The policy moved from:

Access-Control-Allow-Origin: *

to a dynamic origin check: inbound Origin headers are matched against a stored list of registered client domains. When the origin matches, it is reflected in the response header. When it does not match, no CORS header is returned, and the browser's same-origin policy applies.

For the partner API use case — where client applications operate from many domains — the registration model is appropriate: partners register their application origins during API credential issuance, and those origins are added to the allowlist. Unregistered origins do not receive permissive CORS headers.

Secondary controls added as part of the remediation included explicit scope restrictions in the API token issuance flow — tokens with broad scope, previously usable by any client holding them, were given narrower default scopes — and review of the ingress configuration management process to add CORS policy to the items requiring explicit sign-off during infrastructure changes.

One Configuration, Nine Findings

The uniform nature of this misconfiguration made it representative of a pattern that appears frequently in large deployments: a single infrastructure decision that applies broadly, never revisited after the initial deployment.

In this case, the wildcard policy was likely added during early development to avoid dealing with CORS errors before the list of production client origins was finalized. Development convenience that became production configuration. By the time the API tier was serving live broadcast workflows for paying customers, the CORS policy had been in place long enough that no one actively thought about it.

Finding nine instances of the same issue is not nine separate failures. It is one failure applied nine times by design. The scope is not evidence that the team made nine separate mistakes — it is evidence that one decision propagated further than it should have.

For a deeper look at how CORS misconfiguration works and the full range of exploitable configurations, see the CORS misconfiguration knowledge article.

Apr 13, 2026

Enterprise GitLab With the Front Door Wide Open

An enterprise GitLab installation used by a global media technology company to host proprietary infrastructure code, deployment configurations, and CI/CD pipelines was configured with open user registration enabled. Any external party could create an account, browse internal repositories, clone source code, and read environment files containing credentials for production systems — no invitation required.

Apr 12, 2026

Chaining a Subdomain XSS Into API Token Theft

A cross-site scripting vulnerability on a help-center subdomain of a cryptocurrency exchange seemed low-risk in isolation. The exchange's main trading API disagreed: its CORS configuration trusted that subdomain as an allowed origin, turning reflected XSS into a mechanism for making credentialed requests to every authenticated trading endpoint.

Apr 7, 2026

The Staging Server No One Password-Protected

During a web application assessment of a digital asset trading platform, subdomain enumeration surfaced a staging blog environment with no authentication. Every unpublished post, internal announcement, and draft disclosure was readable by anyone with a browser and the subdomain name.

From the Knowledge Base

vulnerabilityCWE-639

Insecure Direct Object References: The Most Common Access Control Flaw

Insecure direct object references occur when an application exposes internal object identifiers without verifying that the requesting user is authorized to access them, enabling attackers to access or modify other users' data by simply changing a parameter.

vulnerabilityCWE-915

Mass Assignment: How Auto-Binding Overwrites Protected Fields

Mass assignment vulnerabilities occur when web frameworks automatically bind HTTP request parameters to object properties without filtering which fields users are allowed to modify. A single extra key in a JSON body can silently overwrite a role, credit balance, or administrative flag — with no error and no warning.

vulnerabilityCWE-918

Server-Side Request Forgery: When Your Server Becomes the Attacker

Server-side request forgery turns your own infrastructure against you, allowing attackers to make your server send requests to internal systems, cloud metadata endpoints, and protected networks that should never be accessible from the outside.

Summary

During an external attack surface assessment against a media infrastructure company, systematic enumeration of API subdomains revealed a consistent CORS misconfiguration across nine separate hosts. Every host returned Access-Control-Allow-Origin: * alongside authenticated API responses. Any external page could read responses from any of these nine endpoints — authentication tokens, broadcast configuration data, and internal account details included.

Key Takeaways

1A CORS wildcard policy (Access-Control-Allow-Origin - *) applied to API endpoints that return sensitive data allows any website to read authenticated API responses via cross-origin requests
2When APIs authenticate via Bearer tokens rather than cookies, CORS wildcards are exploitable without the credentials flag restriction — the JavaScript on any malicious page can include an Authorization header and read the response
3Finding one misconfigured API host warrants systematic testing of all discovered subdomains — misconfiguration at this scale is almost always the result of a shared configuration template applied uniformly
4Nine separate API hosts sharing the same wildcard policy indicated the configuration originated from a centralized infrastructure layer, meaning the fix required changing one configuration rather than nine separate remediations
5The exploitable scenario requires a victim who has previously obtained a valid API token to visit a page controlled by the attacker — realistic for API platforms where tokens are issued to end users or partner organizations

Frequently Asked Questions

CORS wildcard policies tell browsers that any origin is permitted to read the response to a cross-origin request. When an API endpoint returns sensitive data and responds with a wildcard CORS header, any JavaScript running on any page — including pages the user did not intend to visit — can make a request to that endpoint and read the full response. If the API uses token-based authentication (Authorization header), the malicious JavaScript simply includes the token in the request and reads the result. The browser's same-origin policy, which CORS is designed to relax in a controlled way, is completely bypassed.

When credentials means cookies and the withCredentials flag is set, browsers reject a wildcard CORS response — this is a browser security control. However, when authentication uses Bearer tokens passed in the Authorization header rather than cookies, the credentials flag is not required. The malicious page can include the Authorization header in the fetch request directly, and the wildcard response header permits the browser to expose the response. This distinction is critical: APIs that moved away from cookie authentication to token authentication may have lost the protection that cookie-credential CORS restrictions previously provided.

The test is straightforward: send a request to each discovered API endpoint with an arbitrary Origin header and observe whether the Access-Control-Allow-Origin response header reflects that origin back or returns a wildcard. Automating this across enumerated subdomains reveals the scope quickly. The key verification step is confirming that the wildcard or reflected origin applies to endpoints that return sensitive data, not just to public or unauthenticated responses. The actual exploitability depends on how the API authenticates requests — token-based APIs with wildcard CORS are directly exploitable; cookie-authenticated APIs require the Vary and credentials combination to be dangerous.

An API serving authenticated data should specify an explicit allowlist of permitted origins. For internal or partner APIs, this may be a small, fixed set of domains. For public APIs accessed from many origins, the allowlist may need to be dynamic — the application checks the incoming Origin against a stored list of registered client origins and reflects it back only if it matches. In all cases, wildcard policies should be reserved for genuinely public endpoints that do not return user-specific or sensitive data. The configuration should be applied at the application layer rather than a global infrastructure layer to allow endpoint-level granularity.

API Securitycorsapi-securitymisconfigurationinformation-disclosureaccess-control

Nine Hosts, One Wildcard, Zero Access Control

high

April 14, 2026

9 min read

Severityhigh

CVSS0.0

AttackAPI Security

Nine Hosts, One Wildcard, Zero Access Control

The First Host

The first indication came from a routine check I run against any API endpoint: sending a request with a fabricated Origin header and examining what comes back.

http

GET /api/v2/channels HTTP/1.1
Host: api-prod.example.com
Authorization: Bearer <test_token>
Origin: https://attacker.example

The response:

http

HTTP/1.1 200 OK
Content-Type: application/json
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type, X-Requested-With
 
{"channels": [...], "total": 47, "account_id": "..."}

Checking the Adjacent Hosts

I had enumerated seventeen API-pattern subdomains during the initial discovery phase. I ran the same CORS probe against each of them.

Nine returned the wildcard header.

What the Endpoints Returned

The affected endpoints included:

The Exploitable Scenario

A proof-of-concept page on a domain I controlled made a cross-origin request to one of the affected hosts using a token I held for my own test account:

javascript

fetch('https://api-prod.example.com/api/v2/channels', {
  headers: {
    'Authorization': 'Bearer ' + storedToken,
    'Content-Type': 'application/json'
  }
})
.then(r => r.json())
.then(data => {
  // data contains authenticated API response
  document.getElementById('output').textContent = JSON.stringify(data);
});

Scope and Configuration Root Cause

Working backwards from the nine affected hosts to their configuration source required examining what infrastructure managed the API tier's ingress.

Remediation

The ingress CORS configuration was replaced with an explicit allowlist of permitted origins. The policy moved from:

Access-Control-Allow-Origin: *

One Configuration, Nine Findings

For a deeper look at how CORS misconfiguration works and the full range of exploitable configurations, see the CORS misconfiguration knowledge article.

Apr 13, 2026

Enterprise GitLab With the Front Door Wide Open

Apr 12, 2026

Chaining a Subdomain XSS Into API Token Theft

Apr 7, 2026

The Staging Server No One Password-Protected

From the Knowledge Base

vulnerabilityCWE-639

Summary

Key Takeaways

1A CORS wildcard policy (Access-Control-Allow-Origin - *) applied to API endpoints that return sensitive data allows any website to read authenticated API responses via cross-origin requests
2When APIs authenticate via Bearer tokens rather than cookies, CORS wildcards are exploitable without the credentials flag restriction — the JavaScript on any malicious page can include an Authorization header and read the response
3Finding one misconfigured API host warrants systematic testing of all discovered subdomains — misconfiguration at this scale is almost always the result of a shared configuration template applied uniformly
4Nine separate API hosts sharing the same wildcard policy indicated the configuration originated from a centralized infrastructure layer, meaning the fix required changing one configuration rather than nine separate remediations
5The exploitable scenario requires a victim who has previously obtained a valid API token to visit a page controlled by the attacker — realistic for API platforms where tokens are issued to end users or partner organizations

Nine Hosts, One Wildcard, Zero Access Control

The First Host

Checking the Adjacent Hosts

What the Endpoints Returned

The Exploitable Scenario

Scope and Configuration Root Cause

Remediation

One Configuration, Nine Findings

Related Posts

From the Knowledge Base

Insecure Direct Object References: The Most Common Access Control Flaw

Mass Assignment: How Auto-Binding Overwrites Protected Fields

Server-Side Request Forgery: When Your Server Becomes the Attacker

Summary

Key Takeaways

Frequently Asked Questions

Nine Hosts, One Wildcard, Zero Access Control

The First Host

Checking the Adjacent Hosts

What the Endpoints Returned

The Exploitable Scenario

Scope and Configuration Root Cause

Remediation

One Configuration, Nine Findings

Related Posts

From the Knowledge Base

Insecure Direct Object References: The Most Common Access Control Flaw

Mass Assignment: How Auto-Binding Overwrites Protected Fields

Server-Side Request Forgery: When Your Server Becomes the Attacker

Summary

Key Takeaways

Frequently Asked Questions