Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help? CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate. This presentation covers how to find specific CORS misconfigurations and will not address the basics of CORS. Dozens of actual applications are distilled into examples that demonstrate CORS protections and JavaScript code to bypass them. Knowledge of the available CORS headers, RESTful APIs, and the ability to read JavaScript are necessary to completely understand the techniques in this presentation.