CORScanner: Fast CORS misconfiguration vulnerabilities scanner

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

The correct configuration of CORS policy is critical to website security, but CORS configurations have many error-prone corner cases. Web developers who are not aware of these corner cases are likely to make mistakes. Thus, we summarize different common types of CORS misconfigurations and integrate them into this tool, to help developers/security-practitioners quickly locate and detect such security issues.



git clone
sudo pip install -r requirements.txt


Short FormLong FormDescription
-u–urlURL/domain to check it’s CORS policy
-i–inputURL/domain list file to check their CORS policy
-t–threadsNumber of threads to use for CORS scan
-o–outputSave the results to a text file
-v–verboseEnable the verbose mode and display results in real-time
-h–helpshow the help message and exit


  • To check CORS misconfigurations of a specific domain:

python -u

  • To check CORS misconfigurations of specific URL:

python -u

  • To check CORS misconfigurations of multiple domains/URLs:

python -i top_100_domains.txt -t 100

  • To list all the basic options and switches use -h switch:

python -h

Misconfiguration types

Misconfiguration typeDescription
Reflect_any_originBlindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses trusts trusts trusts
Substring trusts trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTPRisky trust dependency, a MITM attacker may steal HTTPS site secrets
trust_any_subdomainRisky trust dependency, a subdomain XSS may steal its secrets

Copyright (c) 2018 Jianjun Chen