An application that implements HTML5 CORS means the application will share browser information with another domain that resides at a different origin. By design, browser protections prevent external scripts from accessing information in the browser. This protection is known as Same-Origin Policy (SOP). However, CORS is a means of bypassing SOP, permissively. If an application wants to share browser information with a completely different domain, it may do so with properly-configured CORS headers.

Web-penetration testers must ensure applications that handle AJAX calls (for example, HTML5) do not have misconfigured CORS headers. Let's see how Burp can help us identify such misconfigurations.