CORScanner: Fast CORS misconfiguration vulnerabilities scanner

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

The correct configuration of CORS policy is critical to website security, but CORS configurations have many error-prone corner cases. Web developers who are not aware of these corner cases are likely to make mistakes. Thus, we summarize different common types of CORS misconfigurations and integrate them into this tool, to help developers/security-practitioners quickly locate and detect such security issues.

CORScanner

Installation

git clone https://github.com/chenjj/CORScanner.git
sudo pip install -r requirements.txt

Usage

Short FormLong FormDescription
-u–urlURL/domain to check it’s CORS policy
-i–inputURL/domain list file to check their CORS policy
-t–threadsNumber of threads to use for CORS scan
-o–outputSave the results to a text file
-v–verboseEnable the verbose mode and display results in real-time
-h–helpshow the help message and exit

Examples

  • To check CORS misconfigurations of a specific domain:

python cors_scan.py -u example.com

  • To check CORS misconfigurations of specific URL:

python cors_scan.py -u http://example.com/restapi

  • To check CORS misconfigurations of multiple domains/URLs:

python cors_scan.py -i top_100_domains.txt -t 100

  • To list all the basic options and switches use -h switch:

python cors_scan.py -h

Misconfiguration types

Misconfiguration typeDescription
Reflect_any_originBlindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses
Prefix_matchwwww.example.com trusts example.com.evil.com
Suffix_matchwwww.example.com trusts evilexample.com
Not_escape_dotwwww.example.com trusts wwwaexample.com
Substring matchwwww.example.com trusts example.co
trust_nullwwww.example.com trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTPRisky trust dependency, a MITM attacker may steal HTTPS site secrets
trust_any_subdomainRisky trust dependency, a subdomain XSS may steal its secrets

Copyright (c) 2018 Jianjun Chen

Source: https://github.com/chenjj/

Share