by chenjj

chenjj / CORScanner

Fast CORS misconfiguration vulnerabilities scanner🍻

529 Stars 99 Forks Last release: Not found MIT License 71 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.


  • Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
  • Comprehensive. It covers all the common types of CORS misconfigurations we know.
  • Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.

Two useful references for understanding CORS systematically: * USENIX security 18 paper: We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS * 中文详解:绕过浏览器SOP,跨站窃取信息:CORS配置安全漏洞报告及最佳部署实践




  • Download this tool

    git clone
  • Install dependencies

    sudo pip install -r requirements.txt
    CORScanner depends on the
    python modules.

Python Version:

  • Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.


Short Form

Long Form Description
-u --url URL/domain to check it's CORS policy
-d --headers Add headers to the request
-i --input URL/domain list file to check their CORS policy
-t --threads Number of threads to use for CORS scan
-o --output Save the results to json file
-v --verbose Enable the verbose mode and display results in realtime
-h --help show the help message and exit


  • To check CORS misconfigurations of specific domain:

python -u
  • To enable more debug info, use -vvv:

python -u -vvv
  • To check CORS misconfigurations of specific URL:

python -u
  • To check CORS misconfiguration with specific headers:

python -u -d "Cookie: test"
  • To check CORS misconfigurations of multiple domains/URLs:

python -i top_100_domains.txt -t 100
  • To list all the basic options and switches use -h switch:

python -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration type

Reflectanyorigin Blindly reflect the Origin header value in

Access-Control-Allow-Origin headers
in responses, which means any website can read its secrets by sending cross-orign requests.
, which is an attacker's domain.
, which could be registered by an attacker.
, which could be registered by an attacker.
Substring match
, which could be registered by an attacker.
, which can be forged by iframe sandbox scripts
HTTPStrustHTTP Risky trust dependency, a MITM attacker may steal HTTPS site secrets
Trustanysubdomain Risky trust dependency, a subdomain XSS may steal its secrets
Customthirdparties Custom unsafe third parties origins like
, see more in origins.json file. Thanks @phackt!
Specialcharactersbypass Exploiting browsers’ handling of special characters. Most can only work in Safari except </em>, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflectanyorigin" misconfiguration on Localhost is the malicious website in the video. video on Youtube:


Here is the exploitation code: ```javascript ```

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.


CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.


This work is inspired by the following excellent researches:

  • James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
  • Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
  • Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*


Current version is 1.0

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.