{
	"wildcard value" : {
		"class" : "wildcard value",
		"description" : "This host allows requests made from any origin. However, browsers will block all requests to this host by default.",
		"severity" : "low",
		"exploitation" : "Not possible"
	},
	"third party allowed" : {
		"class" : "third party allowed",
		"description" : "This host has whitelisted a third party host for cross origin requests.",
		"severity" : "Medium",
		"exploitation" : "If the whitelisted host is a code hosting platform such as codepen.io or has an XSS vulnerability, it can be used to exploit this misconfiguration."

	},
	"origin reflected": {
		"class" : "origin reflected",
		"description" : "This host allows any origin to make requests to it.",
		"severity" : "high",
		"exploitation" : "Make requests from any domain you control."
	},
	"invalid value" : {
		"class" : "invalid value",
		"description" : "Header's value is invalid, this CORS implementation doesn't work at all.",
		"severity" : "low",
		"exploitation" : "Not possible"
	},
	"post-domain wildcard" : {
		"class" : "post-domain wildcard",
		"description" : "The origin verification is flawed, it allows requests from a host that has this host as a prefix.",
		"severity" : "high",
		"exploitation" : "Make requests from target.com.attacker.com"
	},
	"pre-domain wildcard" : {
		"class" : "pre-domain wildcard",
		"description" : "The origin verification is flawed, it allows requests from a host that has this host as a suffix.",
		"severity" : "high",
		"exploitation" : "Make requests from attacker-target.com"
	},
	"null origin allowed" : {
		"class" : "null origin allowed",
		"description" : "This host allows requests from 'null' origin.",
		"severity" : "high",
		"exploitation" : "Make requests from a sandboxed iframe."
	},
	"http origin allowed" : {
		"class" : "http origin allowed",
		"description" : "This host allows sharing resources over an unencrypted (HTTP) connection.",
		"severity" : "low",
		"exploitation" : "Sniff requests made over the unencrypted channel."
	},
	"unrecognized underscore" : {
		"class" : "unrecognized underscore",
		"description" : "The origin verification is flawed and can be bypassed using a underscore (_).",
		"severity" : "high",
		"exploitation" : "Set the 'Origin' header to target.com_.example.com"
	},
	"broken parser" : {
		"class" : "broken parser",
		"description" : "The origin verification is flawed and can be bypassed using a backtick (`).",
		"severity" : "high",
		"exploitation" : "Set the 'Origin' header to %60.example.com"
	},
	"unescaped regex" : {
		"class" : "unescaped regex",
		"description" : "The regex used for origin verification contains an unescaped dot (.) character.",
		"severity" : "high",
		"exploitation" : "If the target is sub.example.com, make requests from subxexample.com"
	}
}