Add comprehensive payloads and 4 new vulnerability types (SSTI, HTTP Request Smuggling, CORS, JWT)

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

CORS-Misconfiguration/README.md

@@ -0,0 +1,35 @@
+# CORS Misconfiguration
+
+## Description
+Cross-Origin Resource Sharing (CORS) misconfiguration occurs when a web application incorrectly configures the CORS headers, allowing unauthorized domains to access sensitive resources. This can lead to data theft, account compromise, and bypassing of the Same-Origin Policy.
+
+## Common Misconfigurations
+- **Wildcard Origin with Credentials** - `Access-Control-Allow-Origin: *` with `Access-Control-Allow-Credentials: true`
+- **Null Origin Allowed** - Accepting `Origin: null`
+- **Reflected Origin** - Reflecting any origin without validation
+- **Subdomain Trust** - Trusting all subdomains including attacker-controlled ones
+- **Pre-domain/Post-domain Trust** - Weak regex matching for origins
+
+## Impact
+- Steal sensitive user data
+- Perform actions on behalf of users
+- Access private API endpoints
+- Read authentication tokens
+- Bypass CSRF protections
+
+## Common Attack Vectors
+- API endpoints with sensitive data
+- Authentication endpoints
+- Profile information endpoints
+- Admin panels
+- Internal APIs exposed via CORS
+
+## Testing Approach
+1. Send requests with various `Origin` headers
+2. Check if `Access-Control-Allow-Origin` reflects the attacker's origin
+3. Verify if `Access-Control-Allow-Credentials: true` is set
+4. Test with null origin, subdomains, and similar domains
+5. Check for weak regex patterns in origin validation
+
+## Payloads
+See `cors-misconfiguration-payloads.txt` for a comprehensive list of CORS misconfiguration test payloads.