CORStest is a quick & dirty Python 2 tool to find Cross-Origin Resource Sharing (CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs.
Currently, the following potential vulnerabilities are detected by sending a certain Origin
request header and checking for the Access-Control-Allow-Origin
response header:
null
origin via a sandboxed iframeNote that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the Access-Control-Allow-Credentials header
is present (see -q
flag).
Also Read – BurpSuite : Secret Finder Extension To Discover APIkeys/Tokens From HTTP Response
Usage
usage: corstest.py [arguments] infile
positional arguments:
infile File with domain or URL list
optional arguments:
-h, –help show this help message and exit
-c name=value Send cookie with all requests
-p processes multiprocessing (default: 32)
-s always force ssl/tls requests
-q quiet, allow-credentials only
-v produce a more verbose output
CORS For Hackers
Websites enable CORS by sending the following HTTP response header:Access-Control-Allow-Origin: https://example.com
This permits the listed origin (domain) to make visitors’ web browsers issue cross-domain requests to the server and read the responses – something the Same Origin Policy would normally prevent.
By default this request will be issued without cookies or other credentials, so it can’t be used to steal sensitive user-specific information like CSRF tokens. The server can enable credential transmission using the following header:Access-Control-Allow-Credentials: true
This creates a trust relationship – an XSS vulnerability on example.com is bad news for this site.
Example
Use of CORStest to detect misconfigurations for the Alexa top 750 sites (with Access-Control-Allow-Credentials
):
Evaluation
Running this CORStest on the Alexa top 1 million sites reveals the following results:
Note that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to -p50
or more.
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…