🔥 3-day streak
CompTIA PenTest+ (PT0-003)140 / 175
Question 140 of 175
During a web application assessment, you notice that an API endpoint at https://app.corp.com/api/profile returns sensitive user data and includes the response header 'Access-Control-Allow-Origin: *' along with 'Access-Control-Allow-Credentials: true'. The application uses session cookies for authentication. Which conclusion is most accurate about exploiting this configuration?
Reviewed for accuracy · Report an issueNext question