Welcome to the S4E Create with AI Library
Enterprise-grade Automation with Pentester-level Flexibility
This library showcases real examples of how security teams use S4E Create with AI to save time, reduce manual effort, and strengthen their defenses.
Unlike traditional scanners that limit users to predefined checks, S4E Create with AI gives complete flexibility. You describe what you need, and the AI builds and runs it instantly. This allows teams to automate the exact tests they want instead of being restricted to what the product designer imagined.
Detecting Insecure CORS Origin Reflection
Problem
Cross-Origin Resource Sharing (CORS) is essential for modern web applications, but misconfigurations can be devastating. A common and critical mistake occurs when a server blindly reflects the requested Origin header in the Access-Control-Allow-Origin response and simultaneously sets Access-Control-Allow-Credentials: true.
This specific combination allows attackers to bypass the Same-Origin Policy. By hosting a malicious site, an attacker can force a victim’s browser to make authenticated requests to your application, reading sensitive data or performing actions on their behalf.
Risk Prevented: Cross-domain data theft and unauthorized actions via authenticated sessions (account hijacking risks similar to CSRF but allowing data exfiltration).
Traditional Approach
Identifying this vulnerability manually is tedious. Security analysts must use proxy tools like Burp Suite to intercept requests, manually modify the Origin header to a random value, and inspect the response headers to see if the server “echoes” it back. Static scanners often miss this because they look for hardcoded wildcards (*) but fail to detect dynamic reflection logic where the server programmatically accepts any origin provided by the client.
How Create with AI Changes It
With S4E Create with AI, you can automate this dynamic behavioral check across all your assets instantly. The AI generates a smart scan that:
- Generates a randomized test domain (e.g., http://random-xyz.com) to simulate an external attacker.
- Injects this domain into the Origin header of the request.
- Validates if the server insecurely reflects this random domain back.
- Checks if Access-Control-Allow-Credentials is set to true.
This moves beyond simple configuration reading; it actively tests the server’s behavior against unauthorized origins.
Instant Solution (Create with AI)
Prompt: Create a scan that detects insecure CORS origin reflection. The scan should send a request with a randomized “Origin” header (e.g., “http://random-test-domain.com“). It must verify if the server mirrors this origin or returns “*” in the “Access-Control-Allow-Origin” header while also setting “Access-Control-Allow-Credentials” to true. If this risky configuration is found, raise an alert for Insecure CORS Reflection; otherwise, return the message “CORS configuration appears secure.”
The generated scan performs a live test using a randomized origin, confirming whether the application is overly permissive with credentials.
🎥 Watch the Scan in Action
The video shows Create with AI generating a random origin string, sending it to the target asset, and detecting if the server insecurely allows credentials for that unverified domain.
Value
- Dynamic Validation: Tests how the server actually behaves, not just static config files.
- Precise Detection: Specifically targets the dangerous combination of Reflected Origin + Credentials.
- Eliminates False Negatives: Catches dynamic code logic that accepts “any” origin, which standard scanners often miss.
- Scalable: Instantly checks hundreds of endpoints for this specific misconfiguration.
Closing Takeaway
CORS misconfigurations are often invisible to users but offer an open door to attackers. By automating the detection of origin reflection, S4E Create with AI ensures that your application only talks to trusted domains, preventing data leaks through relaxed security policies.
🧰 Check It Yourself
Check the sample scan below or watch the video for a live walkthrough
class Job(Task):
def run(self):
asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
self.output['detail'] = []
self.output['compact'] = []
self.output['video'] = [f"python3 cors_origin_reflection_scan.py {asset}"]
random_domain = "http://random-" + ''.join(random.choices(string.ascii_lowercase, k=10)) + ".com"
try:
response = self.session.get(asset, headers={**self.headers, "Origin": random_domain}, timeout=self.timeout, verify=False, allow_redirects=False)
allow_origin = response.headers.get("Access-Control-Allow-Origin")
allow_credentials = response.headers.get("Access-Control-Allow-Credentials")
self.output['video'].append(f"Testing Origin: {random_domain}")
if allow_origin in [random_domain, "*"] and allow_credentials and allow_credentials.lower() == "true":
self.output['compact'].append("Insecure CORS Reflection detected.")
self.output['detail'].extend([
"Origin reflected or wildcard used with credentials.",
f"Allow-Origin: {allow_origin}",
f"Allow-Credentials: {allow_credentials}"
])
self.output['video'].extend([
"Insecure CORS Reflection detected.",
f"Allow-Origin: {allow_origin}",
f"Allow-Credentials: {allow_credentials}"
])
else:
self.output['detail'].append("CORS configuration appears secure.")
self.output['video'].append("CORS configuration appears secure.")
except:
self.output['detail'].append("CORS configuration appears secure.")
self.output['video'].append("CORS configuration appears secure.")
def calculate_score(self):
if self.output['compact']:
self.score = self.param['max_score']
else:
self.score = 0Want to see and learn more?
Want to start using and experience it yourself?