1. Support Center
  2. BApp Store
  3. CORS*, Additional CORS Checks

CORS*, Additional CORS Checks


This extension can be used to test websites for CORS misconfigurations. It can spot trivial misconfigurations, like arbitrary origin reflection, but also more subtle ones where a regex is not properly configured. An issue is created if a dangerous origin is reflected. If "Access-Control-Allow-Credentials: true" is also set, the issue is rated high, otherwise low. Finally, the user has to decide whether the reflected Origin is intended (e.g. CDN) or whether it is a security issue.


"CORS* - Additional CORS Checks" can be run in either automatic or manual mode.


  • In the CORS* tab, the extension can be activated.
  • If activated, the extension will test CORS misconfigurations for each proxy request by sending multiple requests with different origins.
  • There are options to only endable it for in-scope items and to exclude requests with certain file extensions.
  • The "URL for CORS Request" is used to test for arbitrary reflection and as prefix/suffix in testing regex misconfigurations.
  • If a potential misconfiguration is discovered, the request is highlighted in red
  • If an issue is detected, it is also reported in the Target and Dashboard tabs.


  • Requests can be added to CORS* using the extension menu.
  • The requests to test for CORS misconfiguration can then be sent using the "Send CORS requests for selected entry" button.
Author Ybieri
Version 0.9
Last updated 31 January 2022

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore