Need help with CORScanner?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

chenjj
586 Stars 114 Forks MIT License 85 Commits 0 Opened issues

Description

Fast CORS misconfiguration vulnerabilities scanner🍻

Services available

!
?

Need anything else?

Contributors list

# 77,527
Python
python3
phishin...
spf
55 commits
# 186,414
Python
python3
web-sec...
cors
7 commits
# 263,070
Python
python3
web-sec...
cors
4 commits
# 35,952
python3
JavaScr...
unix
reverse...
1 commit
# 390,386
Python
python3
web-sec...
cors
1 commit
# 389,836
Python
python3
web-sec...
cors
1 commit

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

Features

  • Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
  • Comprehensive. It covers all the common types of CORS misconfigurations we know.
  • Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.
  • 🆕 CORScanner supports installation via pip (
    pip install corscanner
    or
    pip install cors
    )
  • 🆕 CORScanner can be used as a library in your project.

Two useful references for understanding CORS systematically: * USENIX security 18 paper: We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS * 中文详解:绕过浏览器SOP,跨站窃取信息:CORS配置安全漏洞报告及最佳部署实践

Screenshots

CORScanner

Installation

  • Download this tool

    git clone https://github.com/chenjj/CORScanner.git
    
  • Install dependencies

    sudo pip install -r requirements.txt
    
    CORScanner depends on the
    requests
    ,
    gevent
    ,
    tldextract
    ,
    colorama
    and
    argparse
    python modules.

Python Version:

  • Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.

CORScanner as a library

  • Install CORScanner via pip
sudo pip install corscanner

or use the short name:

sudo pip install cors
  • Example code:
    python
    >>> from CORScanner.cors_scan import cors_check
    >>> ret = cors_check("https://www.instagram.com", None)
    >>> ret
    {'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}
    

You can also use CORScanner via the

corscanner
or
cors
command:
corscanner -u https://www.instagram.com -vv

Usage

Short Form

Long Form Description
-u --url URL/domain to check it's CORS policy
-d --headers Add headers to the request
-i --input URL/domain list file to check their CORS policy
-t --threads Number of threads to use for CORS scan
-o --output Save the results to json file
-v --verbose Enable the verbose mode and display results in realtime
-T --timeout Set requests timeout (default 5 sec)
-h --help show the help message and exit

Examples

  • To check CORS misconfigurations of specific domain:

python cors_scan.py -u example.com
  • To enable more debug info, use -vvv:

python cors_scan.py -u example.com -vvv
  • To check CORS misconfigurations of specific URL:

python cors_scan.py -u http://example.com/restapi
  • To check CORS misconfiguration with specific headers:

python cors_scan.py -u example.com -d "Cookie: test"
  • To check CORS misconfigurations of multiple domains/URLs:

python cors_scan.py -i top_100_domains.txt -t 100
  • To list all the basic options and switches use -h switch:

python cors_scan.py -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration type

Description
Reflectanyorigin Blindly reflect the Origin header value in

Access-Control-Allow-Origin headers
in responses, which means any website can read its secrets by sending cross-orign requests.
Prefixmatch
wwww.example.com
trusts
example.com.evil.com
, which is an attacker's domain.
Suffixmatch
wwww.example.com
trusts
evilexample.com
, which could be registered by an attacker.
Notescapedot
wwww.example.com
trusts
wwwaexample.com
, which could be registered by an attacker.
Substring match
wwww.example.com
trusts
example.co
, which could be registered by an attacker.
Trustnull
wwww.example.com
trusts
null
, which can be forged by iframe sandbox scripts
HTTPStrustHTTP Risky trust dependency, a MITM attacker may steal HTTPS site secrets
Trustanysubdomain Risky trust dependency, a subdomain XSS may steal its secrets
Customthirdparties Custom unsafe third parties origins like
github.io
, see more in origins.json file. Thanks @phackt!
Specialcharactersbypass Exploiting browsers’ handling of special characters. Most can only work in Safari except </em>, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflectanyorigin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.

Walmart.com video on Youtube:

Walmart_CORS_misconfiguration_exploitation

Here is the exploitation code: ```javascript ```

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

License

CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.

Credits

This work is inspired by the following excellent researches:

  • James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
  • Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
  • Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*

Version

Current version is 1.0

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.