CORStest is a quick & dirty Python 2 tool to find Cross-Origin Resource Sharing (CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs.
Currently, the following potential vulnerabilities are detected by sending a certain Origin
request header and checking for the Access-Control-Allow-Origin
response header:
null
origin via a sandboxed iframeNote that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the Access-Control-Allow-Credentials header
is present (see -q
flag).
Also Read – BurpSuite : Secret Finder Extension To Discover APIkeys/Tokens From HTTP Response
Usage
usage: corstest.py [arguments] infile
positional arguments:
infile File with domain or URL list
optional arguments:
-h, –help show this help message and exit
-c name=value Send cookie with all requests
-p processes multiprocessing (default: 32)
-s always force ssl/tls requests
-q quiet, allow-credentials only
-v produce a more verbose output
CORS For Hackers
Websites enable CORS by sending the following HTTP response header:Access-Control-Allow-Origin: https://example.com
This permits the listed origin (domain) to make visitors’ web browsers issue cross-domain requests to the server and read the responses – something the Same Origin Policy would normally prevent.
By default this request will be issued without cookies or other credentials, so it can’t be used to steal sensitive user-specific information like CSRF tokens. The server can enable credential transmission using the following header:Access-Control-Allow-Credentials: true
This creates a trust relationship – an XSS vulnerability on example.com is bad news for this site.
Example
Use of CORStest to detect misconfigurations for the Alexa top 750 sites (with Access-Control-Allow-Credentials
):
Evaluation
Running this CORStest on the Alexa top 1 million sites reveals the following results:
Note that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to -p50
or more.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…