CORSTest : A Simple CORS Misconfiguration Scanner

CORStest is a quick & dirty Python 2 tool to find Cross-Origin Resource Sharing (CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs.

Currently, the following potential vulnerabilities are detected by sending a certain Origin request header and checking for the Access-Control-Allow-Origin response header:

  • Developer backdoor: Insecure dev origins like JSFiddle or CodePen are allowed to access this resource
  • Origin reflection: The origin is simply echoed in ACAO header, any site is allowed to access this resource
  • Null misconfiguration: Any site is allowed to access by forcing the null origin via a sandboxed iframe
  • Pre-domain wildcard: notdomain.com is allowed access, which can simply be registered by an attacker
  • Post-domain wildcard: domain.com.evil.com is allowed access, which can be registered by an attacker
  • Subdomains allowed: sub.domain.com allowed access, exploitable if attacker finds XSS in any subdomain
  • Non-ssl sites allowed: A http origin is allowed access to a https resource, allows MitM to break encryption
  • Invalid CORS header: Wrong use of wildcard or multiple origins, not a security problem but should be fixed

Note that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the Access-Control-Allow-Credentials header is present (see -q flag).

Also Read – BurpSuite : Secret Finder Extension To Discover APIkeys/Tokens From HTTP Response

Usage

usage: corstest.py [arguments] infile

positional arguments:
infile File with domain or URL list

optional arguments:
-h, –help show this help message and exit
-c name=value Send cookie with all requests
-p processes multiprocessing (default: 32)
-s always force ssl/tls requests
-q quiet, allow-credentials only
-v produce a more verbose output

CORS For Hackers

Websites enable CORS by sending the following HTTP response header:Access-Control-Allow-Origin: https://example.com

This permits the listed origin (domain) to make visitors’ web browsers issue cross-domain requests to the server and read the responses – something the Same Origin Policy would normally prevent.

By default this request will be issued without cookies or other credentials, so it can’t be used to steal sensitive user-specific information like CSRF tokens. The server can enable credential transmission using the following header:Access-Control-Allow-Credentials: true

This creates a trust relationship – an XSS vulnerability on example.com is bad news for this site.

Example

Use of CORStest to detect misconfigurations for the Alexa top 750 sites (with Access-Control-Allow-Credentials):

Evaluation

Running this CORStest on the Alexa top 1 million sites reveals the following results:

Note that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to -p50 or more.

R K

Recent Posts

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

5 hours ago

Install Xrdp on Ubuntu 18.04: Remote Desktop Setup Guide

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…

6 hours ago

Add and Delete Users on Ubuntu 18.04: A Practical Guide

Managing user accounts is one of the most basic system administration tasks on any Linux…

6 hours ago

Install Wine on Ubuntu 18.04: Run Windows Apps on Linux

Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…

6 hours ago

Install KVM on Ubuntu 18.04: Setup, Network, and Create VMs

KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…

6 hours ago

Upgrade to Ubuntu 20.04 LTS: Prepare, Update, and Confirm

Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…

1 day ago