From 510ebdd61777e80461af385d0dd914c26c817dea Mon Sep 17 00:00:00 2001
From: Tamim Hasan <66991901+tamimhasan404@users.noreply.github.com>
Date: Wed, 19 May 2021 19:13:52 +0600
Subject: [PATCH] update cors.md

---
 cheatsheets/cors.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cheatsheets/cors.md b/cheatsheets/cors.md
index dde6a4d..8d6a9d0 100644
--- a/cheatsheets/cors.md
+++ b/cheatsheets/cors.md
@@ -7,6 +7,17 @@ Check to see what the server responds with in the `Access-Control-Allow-Origin:`
 
 If it is trusting arbitrary origins **with** allow-credentials set to true, then host this HTML as a proof of concept.
 
+## Some method to bypass CORS	
+1. `Origin:null`
+2. `Origin:attacker.com`
+3. `Origin:attacker.target.com`
+4. `Origin:attackertarget.com`
+5. `Origin:sub.attackertarget.com`
+6. `Origin:attacker.com and then change the method Get to post/Post to Get`
+7. `Origin:sub.attacker target.com`
+8. `Origin:sub.attacker%target.com`
+9. `Origin:attacker.com/target.com`
+
 ```
 <!DOCTYPE html>
 <html>