Fast CORS misconfiguration vulnerabilities scanner🍻
CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.
pip install corscanneror
pip install cors)
Two useful references for understanding CORS systematically: * USENIX security 18 paper: We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS * 中文详解:绕过浏览器SOP,跨站窃取信息:CORS配置安全漏洞报告及最佳部署实践
Download this tool
git clone https://github.com/chenjj/CORScanner.git
Install dependencies
sudo pip install -r requirements.txtCORScanner depends on the
requests,
gevent,
tldextract,
coloramaand
argparsepython modules.
sudo pip install corscanner
or use the short name:
sudo pip install cors
python >>> from CORScanner.cors_scan import cors_check >>> ret = cors_check("https://www.instagram.com", None) >>> ret {'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}
You can also use CORScanner via the
corscanneror
corscommand:
corscanner -u https://www.instagram.com -vv
Short Form |
Long Form | Description |
---|---|---|
-u | --url | URL/domain to check it's CORS policy |
-d | --headers | Add headers to the request |
-i | --input | URL/domain list file to check their CORS policy |
-t | --threads | Number of threads to use for CORS scan |
-o | --output | Save the results to json file |
-v | --verbose | Enable the verbose mode and display results in realtime |
-T | --timeout | Set requests timeout (default 5 sec) |
-h | --help | show the help message and exit |
python cors_scan.py -u example.com
python cors_scan.py -u example.com -vvv
python cors_scan.py -u http://example.com/restapi
python cors_scan.py -u example.com -d "Cookie: test"
python cors_scan.py -i top_100_domains.txt -t 100
python cors_scan.py -h
This tool covers the following misconfiguration types:
Misconfiguration type |
Description |
---|---|
Reflectanyorigin | Blindly reflect the Origin header value in Access-Control-Allow-Origin headersin responses, which means any website can read its secrets by sending cross-orign requests. |
Prefixmatch | wwww.example.comtrusts example.com.evil.com, which is an attacker's domain. |
Suffixmatch | wwww.example.comtrusts evilexample.com, which could be registered by an attacker. |
Notescapedot | wwww.example.comtrusts wwwaexample.com, which could be registered by an attacker. |
Substring match | wwww.example.comtrusts example.co, which could be registered by an attacker. |
Trustnull | wwww.example.comtrusts null, which can be forged by iframe sandbox scripts |
HTTPStrustHTTP | Risky trust dependency, a MITM attacker may steal HTTPS site secrets |
Trustanysubdomain | Risky trust dependency, a subdomain XSS may steal its secrets |
Customthirdparties | Custom unsafe third parties origins like github.io, see more in origins.json file. Thanks @phackt! |
Specialcharactersbypass | Exploiting browsers’ handling of special characters. Most can only work in Safari except </em> , which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke. |
Welcome to contribute more.
Here is an example about how to exploit "Reflectanyorigin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.
Walmart.com video on Youtube:
Here is the exploitation code: ```javascript ```
If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.
CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.
This work is inspired by the following excellent researches:
Current version is 1.0