check also tls break for this general
if you find a subdomain thats vuln. to f.e. XSS u can inject your script there and then use cors
Breaking TLS using a subdomain of the hp that allows http: GET /api/requestApiKey HTTP/1.1 Host: vulnerable-website.com Origin: http://trusted-subdomain.vulnerable-website.com
Cookie: sessionid=.. The application responds with: HTTP/1.1 200 OK Access-Control-Allow-Origin: [http://trusted-subdomain.vulnerable-website.com](http://trusted-subdomain.vulnerable-website.com) Access-Control-Allow-Credentials: trueOften ppl config sites with whitelisting from their domain prefix.
For example, suppose an application grants access to all domains ending in: normal-website.com
- An attacker might be able to gain access by registering the domain: hackersnormal-website.com
- Alternatively, suppose an application grants access to all domains beginning with normal-website.com
- An attacker might be able to gain access using the domain: normal-website.com.evil-user.net