The value of an “Access-Control-Allow-Origin” HTTP header with an associated “Access-Control-Allow-Credentials” HTTP header with a truthy value.
A value that is or coerces to the string “null”. This is considered a source because the “null” origin is easy to obtain for an attacker.
A source of remote user input, considered as a flow source for CORS misconfiguration.
A sanitizer for CORS misconfiguration for credentials transfer.
A data flow sink for CORS misconfiguration for credentials transfer.
A data flow source for CORS misconfiguration for credentials transfer.