Why I Checked These Sites
As part of my routine security research, I decided to test 5 popular Chinese websites for CORS (Cross-Origin Resource Sharing) misconfigurations. CORS bugs are one of the most overlooked yet dangerous web vulnerabilities — they can allow attackers to read sensitive data from authenticated users.
The Test Method
I sent a simple curl request with a malicious Origin header to each target:
curl -s -H "Origin: https://evil.com" -I https://TARGET
If the response includes both access-control-allow-origin: https://evil.com AND access-control-allow-credentials: true, that's a critical vulnerability.
Results
| Site | Vulnerable | Notes |
|---|---|---|
| baidu.com | No | No CORS headers returned |
| taobao.com | No | Properly configured |
| qq.com | Blocked | WAF blocked the request (501) |
| douyin.com | No |
access-control-allow-credentials: true but no ACAO echo |
| zhihu.com | No | Redirected to login, no CORS leak |
Verdict: 0 vulnerabilities found. All 5 sites have proper CORS protection.
Why CORS Matters
A CORS vulnerability lets a malicious website make authenticated API calls on behalf of your users. If a banking site echoes back your custom Origin with credentials allowed, an attacker can steal your session data.
Check Your Own Site
Want to verify your site's CORS configuration? Use our free scanner:
https://sec.92888888.xyz/scan?url=YOUR_SITE
It checks for:
- CORS misconfigurations
- Missing security headers (HSTS, CSP, XFO, etc.)
- Open ports
- SSL/TLS issues
The Takeaway
Every site should have a proper CORS policy. Never echo back an untrusted Origin with credentials enabled.
Built with WebSec Scanner Pro — automated vulnerability detection in seconds.
Top comments (0)