Merge pull request #2163 from HackTricks-wiki/research_update_src_pentesting-web_cors-bypass_20260423_135850

carlospolop · web-flow · commit ce212096ce05 · 2026-04-23T17:18:27.000+02:00
Research Update Enhanced src/pentesting-web/cors-bypass.md
diff --git a/src/pentesting-web/cors-bypass.md b/src/pentesting-web/cors-bypass.md
@@ -106,25 +106,39 @@ Note that usually (depending on the content-type and headers set) in a **GET/POS
 
 ### **Local Network Requests Pre-flight request**
 
-1. **`Access-Control-Request-Local-Network`**: This header is included in the client's request to signify that the inquiry is aimed at a local network resource. It serves as a marker to inform the server that the request originates from within the local network.
-2. **`Access-Control-Allow-Local-Network`**: In response, servers utilize this header to communicate that the requested resource is permitted to be shared with entities outside of the local network. It acts as a green light for sharing resources across different network boundaries, ensuring controlled access while maintaining security protocols.
+Modern browsers and the current **Private Network Access (PNA)** draft use the headers **`Access-Control-Request-Private-Network: true`** in the preflight and **`Access-Control-Allow-Private-Network: true`** in the response. Older articles and PoCs may still refer to `Local-Network` header names, but for current testing you should expect the `Private-Network` variants.
 
-A **valid response allowing the local network request** needs to have also in the response the header `Access-Controls-Allow-Local_network: true` :
+A **valid response allowing the local network request** needs to also include `Access-Control-Allow-Private-Network: true`:
 
 ```
 HTTP/1.1 200 OK
 ...
 Access-Control-Allow-Origin: https://example.com
 Access-Control-Allow-Methods: GET
 Access-Control-Allow-Credentials: true
-Access-Control-Allow-Local-Network: true
+Access-Control-Allow-Private-Network: true
 Content-Length: 0
 ...
 ```
 
+And the preflight request will look similar to:
+
+```http
+OPTIONS / HTTP/1.1
+Host: router.local
+Origin: https://example.com
+Access-Control-Request-Method: GET
+Access-Control-Request-Private-Network: true
+```
+
+> [!NOTE]
+> Chrome's PNA rollout changed several times during 2024. As of **October 9, 2024**, Chrome documented that **PNA preflights were on hold** because of compatibility problems, while secure-context restrictions remained in place. Therefore, keep testing both the **spec-compliant preflight flow** and the older **"works in practice because enforcement is incomplete"** behavior.
+
 > [!WARNING]
 > Note that the linux **0.0.0.0** IP works to **bypass** these requirements to access localhost as that IP address is not considered "local".
 >
+> Chrome also documented that **`0.0.0.0/8`** is now treated as part of Private Network Access, so this trick is browser/version-dependent and should be re-tested instead of assumed.
+>
 > It's also possible to **bypass the Local Network requirements** if you use the **public IP address of a local endpoint** (like the public IP of the router). Because in several occasions, even if the **public IP** is being accessed, if it's **from the local network**, access will be granted.
 
 ### Wildcards
@@ -258,6 +272,22 @@ Access-Control-Allow-Origin: https://target.application}.arbitrary.com
 Access-Control-Allow-Credentials: true
 ```
 
+Recent updates to PortSwigger's cheat sheet added more **Safari-oriented domain splitting** payloads that are worth fuzzing when the target validates the `Origin` header using regexes or home-grown URL parsers:
+
+```text
+https://example.com.{.attacker.com/
+https://example.com.}.attacker.com/
+https://example.com.`.attacker.com/
+```
+
+These are useful when the backend only checks whether the supplied origin *starts with* or *contains* the trusted hostname, while the browser still treats the attacker-controlled suffix as the effective origin boundary.
+
+Also remember that modern origin fuzzing should not stop at hostname suffixes. The current PortSwigger cheat sheet includes payload families for:
+
+- **Domain allow-list bypasses**: attacker-controlled domains that still satisfy naive prefix/suffix/substring checks.
+- **Fake-relative absolute URLs**: browser-valid absolute URLs that application code may parse as relative.
+- **Loopback/IP normalizations**: alternative IPv4/IPv6 forms useful when CORS logic tries to block `localhost`, `127.0.0.1`, or cloud metadata endpoints by string comparison.
+
 ### **Other funny URL tricks**
 
 
@@ -455,6 +485,7 @@ DoH simply tunnels the classic RFC1035 DNS wire format inside HTTPS (usually a P
 **Fuzz possible misconfigurations in CORS policies**
 
 - [https://portswigger.net/bappstore/420a28400bad4c9d85052f8d66d3bbd8](https://portswigger.net/bappstore/420a28400bad4c9d85052f8d66d3bbd8)
+- [https://portswigger.net/bappstore/c257bcb0b6254a578535edb2dcee87d0](https://portswigger.net/bappstore/c257bcb0b6254a578535edb2dcee87d0)
 - [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner)
 - [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer)
 - [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy)
@@ -473,8 +504,9 @@ DoH simply tunnels the classic RFC1035 DNS wire format inside HTTPS (usually a P
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration)
 - [https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b](https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b)
 - [NCC Group - Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks](https://www.nccgroup.com/research-blog/impact-of-dns-over-https-doh-on-dns-rebinding-attacks/)
+- [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
+- [https://developer.chrome.com/blog/pna-on-hold](https://developer.chrome.com/blog/pna-on-hold)
 
 
 {{#include ../banners/hacktricks-training.md}}
 
-
