Recently, when I debugged a web app, I had to add my own test domain to a CORS allowed list there. Then I remembered having seen a CORS vulnerability report before and decided to delve deeper into this topic. Create a Simple Web App with CORS Misconfiguration Essentially, we require a web application with a straightforward login feature and a data endpoint. With misconfigured CORS, we should be able to see the sensitive data from another origin.

So, I almost submit my first valid bug report… What Happened The other night, I finally decided to give bug bounty a try. I found a VDP program and let ChatGPT write me a recon script. That recon script returned with several subdomains, and when I went through them, a weird domain caught my eye. What the hell is ‘whoami.xx.xx.com’? Out of curiosity, I opened that in my browser. Holy cow, it looks like a debugging page with an internal IP!