Fast CORS misconfiguration vulnerabilities scanner🍻
CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.
Two useful references for understanding CORS systematically: * USENIX security 18 paper: We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS * 中文详解：绕过浏览器SOP，跨站窃取信息：CORS配置安全漏洞报告及最佳部署实践
Download this tool
git clone https://github.com/chenjj/CORScanner.git
sudo pip install -r requirements.txtCORScanner depends on the
|-u||--url||URL/domain to check it's CORS policy|
|-d||--headers||Add headers to the request|
|-i||--input||URL/domain list file to check their CORS policy|
|-t||--threads||Number of threads to use for CORS scan|
|-o||--output||Save the results to json file|
|-v||--verbose||Enable the verbose mode and display results in realtime|
|-h||--help||show the help message and exit|
python cors_scan.py -u example.com
python cors_scan.py -u example.com -vvv
python cors_scan.py -u http://example.com/restapi
python cors_scan.py -u example.com -d "Cookie: test"
python cors_scan.py -i top_100_domains.txt -t 100
python cors_scan.py -h
This tool covers the following misconfiguration types:
|Reflectanyorigin||Blindly reflect the Origin header value in
Access-Control-Allow-Origin headersin responses, which means any website can read its secrets by sending cross-orign requests.
example.com.evil.com, which is an attacker's domain.
evilexample.com, which could be registered by an attacker.
wwwaexample.com, which could be registered by an attacker.
example.co, which could be registered by an attacker.
null, which can be forged by iframe sandbox scripts
|HTTPStrustHTTP||Risky trust dependency, a MITM attacker may steal HTTPS site secrets|
|Trustanysubdomain||Risky trust dependency, a subdomain XSS may steal its secrets|
|Customthirdparties||Custom unsafe third parties origins like
github.io, see more in origins.json file. Thanks @phackt!
|Specialcharactersbypass||Exploiting browsers’ handling of special characters. Most can only work in Safari except
Welcome to contribute more.
Here is an example about how to exploit "Reflectanyorigin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.
Walmart.com video on Youtube:
If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.
CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.
This work is inspired by the following excellent researches:
Current version is 1.0