Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/RUB-NDS/CORStest
A simple CORS misconfiguration scanner
https://github.com/RUB-NDS/CORStest
Last synced: about 1 month ago
JSON representation
A simple CORS misconfiguration scanner
- Host: GitHub
- URL: https://github.com/RUB-NDS/CORStest
- Owner: RUB-NDS
- License: gpl-2.0
- Created: 2017-07-01T12:03:51.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2020-08-14T19:46:08.000Z (over 4 years ago)
- Last Synced: 2024-11-03T04:32:44.075Z (about 1 month ago)
- Language: Python
- Homepage: http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html
- Size: 1.93 MB
- Stars: 403
- Watchers: 21
- Forks: 102
- Open Issues: 7
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - CORStest - A simple CORS misconfiguration scanner (Exploitation / CORS Misconfiguration)
- awesome-hacking-lists - RUB-NDS/CORStest - A simple CORS misconfiguration scanner (Python)
README
## CORStest
### A simple CORS misconfiguration scanner**Based on the research of [James Kettle](https://twitter.com/albinowax)**
CORStest is a *quick & dirty* Python 3 tool to find Cross-Origin Resource Sharing ([CORS](https://www.w3.org/TR/cors/)) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain `Origin` request header and checking for the `Access-Control-Allow-Origin` response header:
- **Developer backdoor:** Insecure dev origins like JSFiddle or CodePen are allowed to access this resource
- **Origin reflection:** The origin is simply echoed in ACAO header, any site is allowed to access this resource
- **Null misconfiguration:** Any site is allowed to access by forcing the `null` origin via a sandboxed iframe
- **Pre-domain wildcard:** *not*domain.com is allowed access, which can simply be registered by an attacker
- **Post-domain wildcard:** domain.com.*evil.com* is allowed access, which can be registered by an attacker
- **Subdomains allowed:** *sub*.domain.com allowed access, exploitable if attacker finds XSS in any subdomain
- **Non-ssl sites allowed:** A http origin is allowed access to a https resource, allows MitM to break encryption
- **Invalid CORS header:** Wrong use of wildcard or multiple origins, not a security problem but should be fixedNote that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the `Access-Control-Allow-Credentials header` is present (see `-q` flag).
### Usage
```
usage: corstest.py [arguments] infilepositional arguments:
infile File with domain or URL listoptional arguments:
-h, --help show this help message and exit
-c name=value Send cookie with all requests
-p processes multiprocessing (default: 32)
-s always force ssl/tls requests
-q quiet, allow-credentials only
-v produce a more verbose output
```### Example
Use of CORStest to detect misconfigurations for the Alexa top 750 sites (with `Access-Control-Allow-Credentials`):
![CORStest example with Alexa top 750 websites](img/example-alexa-750.gif)
### Evaluation
Running this CORStest on the Alexa [top 1 million](http://s3.amazonaws.com/alexa-static/top-1m.csv.zip) sites reveals the following results:
![CORStest example with Alexa top 1,000,000 sites](img/evaluation-alexa-1m.png)
Note that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to `-p50` or more.
### Background
Read more on the technical backgorund of CORS misconfigurations in this fine [blogpost](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html) or check out this [talk](https://www.youtube.com/watch?v=wgkj4ZgxI4c). A large scale evaluation of CORS misconfigurations using *CORStest* is documented [here](http://web-in-security.blogspot.de/2017/07/cors-misconfigurations-on-large-scale.html).