theftfuzzer: fuzzes Cross-Origin Resource Sharing implementations for common misconfigurations

TheftFuzzer is a tool that fuzzes Cross-Origin Resource Sharing implementations for common misconfigurations. You can read the technique here.

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain “cross-domain” requests, notably Ajax requests, are forbidden by default by the same-origin security policy.

CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.

Bluesmoon [CC BY-SA 4.0], via Wikimedia Commons

Download

git clone https://github.com/lc/theftfuzzer.git

Use

~$ python theftfuzzer.py -h                               

usage: theftfuzzer.py [-h] -d DOMAIN [-c COOKIE]



Cross Origin Resource Sharing Fuzzer by Corben Leo



optional arguments:

  -h, --help            show this help message and exit

  -d DOMAIN, --domain DOMAIN

                        URL / Target to fuzz

  -c COOKIE, --cookie COOKIE

                        File containing cookie to send in fuzzing requests

Source: https://github.com/lc/