Name: CORScanner
Brand: CORScanner
SKU: //chenjj/CORScanner
Rating: 3.172 (586 reviews)

chenjj/ CORScanner

(v0.9.6) 2 months ago

Python

python3

web-security

cors

vulnerability-scanners

View on GitHub

Need help with CORScanner?

Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

chenjj

586 Stars

114 Forks

MIT License

85 Commits

0 Opened issues

Description

Fast CORS misconfiguration vulnerabilities scanner🍻

Services available

Need anything else?

Contributors list

Jianjun Chen chenjj

# 77,527

Python

python3

phishin...

spf

55 commits

Gabriel Compan phackt

# 186,414

Python

python3

web-sec...

cors

7 commits

Malayke Malayke

# 263,070

Python

python3

web-sec...

cors

4 commits

ritiksahni ritiksahni

# 35,952

python3

JavaScr...

unix

reverse...

1 commit

Raza Poonja razapoonja

# 390,386

Python

python3

web-sec...

cors

1 commit

HaYiCle hayicle

# 389,836

Python

python3

web-sec...

cors

1 commit

Readme

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

Features

Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
Comprehensive. It covers all the common types of CORS misconfigurations we know.
Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.
🆕 CORScanner supports installation via pip (
```
pip install corscanner
```
or
```
pip install cors
```
)
🆕 CORScanner can be used as a library in your project.

Two useful references for understanding CORS systematically: * USENIX security 18 paper: We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS * 中文详解：绕过浏览器SOP，跨站窃取信息：CORS配置安全漏洞报告及最佳部署实践

Screenshots

Installation

Download this tool

git clone https://github.com/chenjj/CORScanner.git

Install dependencies

sudo pip install -r requirements.txt

CORScanner depends on the

requests

gevent

tldextract

colorama

and

argparse

python modules.

Python Version:

Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.

CORScanner as a library

Install CORScanner via pip

sudo pip install corscanner

or use the short name:

sudo pip install cors

Example code:

python
>>> from CORScanner.cors_scan import cors_check
>>> ret = cors_check("https://www.instagram.com", None)
>>> ret
{'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}

You can also use CORScanner via the

corscanner

cors

command:

corscanner -u https://www.instagram.com -vv

Usage

Short Form	Long Form	Description
-u	--url	URL/domain to check it's CORS policy
-d	--headers	Add headers to the request
-i	--input	URL/domain list file to check their CORS policy
-t	--threads	Number of threads to use for CORS scan
-o	--output	Save the results to json file
-v	--verbose	Enable the verbose mode and display results in realtime
-T	--timeout	Set requests timeout (default 5 sec)
-h	--help	show the help message and exit

Examples

To check CORS misconfigurations of specific domain:

python cors_scan.py -u example.com

To enable more debug info, use -vvv:

python cors_scan.py -u example.com -vvv

To check CORS misconfigurations of specific URL:

python cors_scan.py -u http://example.com/restapi

To check CORS misconfiguration with specific headers:

python cors_scan.py -u example.com -d "Cookie: test"

To check CORS misconfigurations of multiple domains/URLs:

python cors_scan.py -i top_100_domains.txt -t 100

To list all the basic options and switches use -h switch:

python cors_scan.py -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration type	Description
Reflectanyorigin	Blindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests.
Prefixmatch	wwww.example.com trusts example.com.evil.com , which is an attacker's domain.
Suffixmatch	wwww.example.com trusts evilexample.com , which could be registered by an attacker.
Notescapedot	wwww.example.com trusts wwwaexample.com , which could be registered by an attacker.
Substring match	wwww.example.com trusts example.co , which could be registered by an attacker.
Trustnull	wwww.example.com trusts null , which can be forged by iframe sandbox scripts
HTTPStrustHTTP	Risky trust dependency, a MITM attacker may steal HTTPS site secrets
Trustanysubdomain	Risky trust dependency, a subdomain XSS may steal its secrets
Customthirdparties	Custom unsafe third parties origins like github.io , see more in origins.json file. Thanks @phackt!
Specialcharactersbypass	Exploiting browsers’ handling of special characters. Most can only work in Safari except `</em>`, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflectanyorigin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.

Walmart.com video on Youtube:

Here is the exploitation code: ```javascript ```

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

License

CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.

Credits

This work is inspired by the following excellent researches:

James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*

Version

Current version is 1.0