crossdomain: Checking for CORS misconfiguration

crossdomain

Checking for CORS misconfiguration

Download

git clone https://github.com/dienuet/crossdomain.git

Use

  1. Scanning for list domains
  • python corser.py -list_domain ~/aquatone/target.com/urls.txt -origin attacker.com

the file is a list subdomains that’s result from aquatone tool

alt text

  1. Bruteforce endpoints and then checking for cors
  • python corser.py -u https://target.com/ -list_endpoint ~/Desktop/listendpoint.txt -origin attacker.com

alt text

  1. Trying to bypass origin when we encounter filter

simple filter

<?php
if(isset($_SERVER['HTTP_ORIGIN'])){
	if(preg_match('/^http:\/\/dienpv\.com/', $_SERVER['HTTP_ORIGIN'])){
		header("Access-Control-Allow-Origin: ".$_SERVER['HTTP_ORIGIN']);
		header("Access-Control-Allow-Credentials: True");
	}
	else{
		header("Access-Control-Allow-Origin: "."http://dienpv.com");
		header("Access-Control-Allow-Credentials: True");
	}
}

echo "your code: hacker1337";
?>

 

  • python corser.py -u https://target.com -origin attacker.com -fuzz true

alt text

  1. Gen Poc
  • python corser.py -poc GET
  • python corser.py -poc POST

alt text

additional options

-t : set number of threads

-header : custom your request if website requires authenticated cookie

ex: python corser.py -u https://target.com -header “Cookie:sessid=123456;role=user, Authorization: zxbdGDH7438”

Source: https://github.com/dienuet/

Share