I found a website that has a well implemented CORS configuration, but for some reason i am able to insert 2 Origin headers in a POST request, and both of this values are reflected in the reponse.
so if i try:
Host: example.com Connection: close Origin: https://evil.com Origin: https://example.com
The response will be:
HTTP/1.1 200 OK access-control-allow-origin: https://evil.com,https://example.com access-control-allow-credentials: true
Is there any way to set this in a payload to be able to exploit this? How could i set the origin value for both of this to exploit it?