{"id":13542016,"url":"https://github.com/RUB-NDS/CORStest","last_synced_at":"2025-04-02T09:33:11.240Z","repository":{"id":45905286,"uuid":"95961788","full_name":"RUB-NDS/CORStest","owner":"RUB-NDS","description":"A simple CORS misconfiguration scanner","archived":false,"fork":false,"pushed_at":"2020-08-14T19:46:08.000Z","size":2028,"stargazers_count":411,"open_issues_count":7,"forks_count":105,"subscribers_count":21,"default_branch":"master","last_synced_at":"2025-03-30T01:11:15.643Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RUB-NDS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-07-01T12:03:51.000Z","updated_at":"2025-03-27T13:16:09.000Z","dependencies_parsed_at":"2022-09-08T11:51:01.191Z","dependency_job_id":null,"html_url":"https://github.com/RUB-NDS/CORStest","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-NDS%2FCORStest","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-NDS%2FCORStest/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-NDS%2FCORStest/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-NDS%2FCORStest/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RUB-NDS","download_url":"https://codeload.github.com/RUB-NDS/CORStest/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246789008,"owners_count":20834214,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:00.156Z","updated_at":"2025-04-02T09:33:10.310Z","avatar_url":"https://github.com/RUB-NDS.png","language":"Python","funding_links":[],"categories":["Python","Exploitation","Python (1887)"],"sub_categories":["CORS Misconfiguration"],"readme":"## CORStest\n### A simple CORS misconfiguration scanner\n\n**Based on the research of [James Kettle](https://twitter.com/albinowax)**\n\nCORStest is a *quick \u0026 dirty* Python 3 tool to find Cross-Origin Resource Sharing ([CORS](https://www.w3.org/TR/cors/)) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain `Origin` request header and checking for the `Access-Control-Allow-Origin` response header:\n\n- **Developer backdoor:** Insecure dev origins like JSFiddle or CodePen are allowed to access this resource\n- **Origin reflection:** The origin is simply echoed in ACAO header, any site is allowed to access this resource\n- **Null misconfiguration:** Any site is allowed to access by forcing the `null` origin via a sandboxed iframe\n- **Pre-domain wildcard:** *not*domain.com is allowed access, which can simply be registered by an attacker\n- **Post-domain wildcard:** domain.com.*evil.com* is allowed access, which can be registered by an attacker\n- **Subdomains allowed:** *sub*.domain.com allowed access, exploitable if attacker finds XSS in any subdomain\n- **Non-ssl sites allowed:** A http origin is allowed access to a https resource, allows MitM to break encryption\n- **Invalid CORS header:** Wrong use of wildcard or multiple origins, not a security problem but should be fixed\n\nNote that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the `Access-Control-Allow-Credentials header` is present (see `-q` flag).\n\n### Usage\n\n```\nusage: corstest.py [arguments] infile\n\npositional arguments:\n  infile         File with domain or URL list\n\noptional arguments:\n  -h, --help     show this help message and exit\n  -c name=value  Send cookie with all requests\n  -p processes   multiprocessing (default: 32)\n  -s             always force ssl/tls requests\n  -q             quiet, allow-credentials only\n  -v             produce a more verbose output\n```\n\n### Example\n\nUse of CORStest to detect misconfigurations for the Alexa top 750 sites (with `Access-Control-Allow-Credentials`):\n\n![CORStest example with Alexa top 750 websites](img/example-alexa-750.gif)\n\n### Evaluation\n\nRunning this CORStest on the  Alexa [top 1 million](http://s3.amazonaws.com/alexa-static/top-1m.csv.zip) sites reveals the following results:\n\n![CORStest example with Alexa top 1,000,000 sites](img/evaluation-alexa-1m.png)\n\nNote that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to `-p50` or more.\n\n### Background\n\nRead more on the technical backgorund of CORS misconfigurations in this fine [blogpost](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html) or check out this [talk](https://www.youtube.com/watch?v=wgkj4ZgxI4c). A large scale evaluation of CORS misconfigurations using *CORStest* is documented [here](http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRUB-NDS%2FCORStest","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRUB-NDS%2FCORStest","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRUB-NDS%2FCORStest/lists"}