Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/s0md3v/Corsy

CORS Misconfiguration Scanner
https://github.com/s0md3v/Corsy

cors cors-misconfiguration-scanner cors-scanner vulnerability-scanner

Last synced: about 2 months ago
JSON representation

CORS Misconfiguration Scanner

Awesome Lists containing this project

README 

        




  


  Corsy

  


  Corsy

  





CORS Misconfiguration Scanner





  

    

  

  

      

  




### Introduction

Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.



![demo](https://i.ibb.co/Jc1HtmW/corsy.png)



### Requirements

Corsy only works with `Python 3` and has just one dependency:



- `requests`



To install this dependency, navigate to Corsy directory and execute `pip3 install requests`



### Usage

Using Corsy is pretty simple



`python3 corsy.py -u https://example.com`



##### Scan URLs from a file

`python3 corsy.py -i /path/urls.txt`



##### Scan URLs from stdin

`cat urls.txt | python3 corsy.py`



##### Number of threads

`python3 corsy.py -u https://example.com -t 20`



##### Delay between requests

`python3 corsy.py -u https://example.com -d 2`



##### Export results to JSON

`python3 corsy.py -i /path/urls.txt -o /path/output.json`



##### Custom HTTP headers

`python3 corsy.py -u https://example.com --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"`



##### Skip printing tips

`-q` can be used to skip printing of `description`, `severity`, `exploitation` fields in the output.



### Tests implemented

- Pre-domain bypass

- Post-domain bypass

- Backtick bypass

- Null origin bypass

- Unescaped dot bypass

- Underscore bypass

- Invalid value

- Wild card value

- Origin reflection test

- Third party allowance test

- HTTP allowance test