Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wfinn/ucors

tool that scans for CORS bypasses
https://github.com/wfinn/ucors

bugbounty bypass cors pentesting vulnerability-scanners

Last synced: 21 days ago
JSON representation

tool that scans for CORS bypasses

Host: GitHub
URL: https://github.com/wfinn/ucors
Owner: wfinn
Created: 2022-04-17T13:33:08.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-04-18T22:05:50.000Z (over 2 years ago)
Last Synced: 2024-08-05T17:29:44.606Z (4 months ago)
Topics: bugbounty, bypass, cors, pentesting, vulnerability-scanners
Language: Go
Homepage:
Size: 16.6 KB
Stars: 3
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - wfinn/ucors - tool that scans for CORS bypasses (Go)

README

# ucors?

Tool that finds CORS misconfigurations.

```sh
go install github.com/wfinn/ucors@latest

$ echo https://target.tld/endpoint | ucors
$ cat urls.txt | ucors -c session=xyz123
Url: https://target.tld/endpoint Origin: null ACAC: true
...
```

Many bypasses only work in Safari.

## Payloads
- usual reflection e.g. http(s)://evil.com
- https://target.tld.evil.com
- https://target.tldevil.com
- null (sandboxed iframes can have origin null)
- unescaped dots in regexes e.g. https://wwwxtarget.tld
- different TLDs e.g. https://target.wtf
- unexpected chars in subdomains https://target.tld&.evil.com
- Bonus check: xss on subdomains https://any.target.tld

## Usage

Create a list of urls to check, (grab a valid session cookie) and start ucors to find some bypasses.
Ideally you prepare a list of all endpoints returning interesting data.

Below is an example output, you see the url, the payload that worked and if cookies are allowed
```sh
$ cat urls.txt | ucors -c session=xyz123
Url: https://target.tld/profile/private-data.json Origin: https://subdomain.target.tld&evil.com ACAC: true
Url: https://sub.target.tld/getSensitiveInfo Origin: null ACAC: true
...
```

### Flags
- -p to only print the generated bypasses and not make any requests
- -d evil.com to set the attacker domain
- -s to skip the url after finding a bypass
- -c abc=XYZ to set cookies
- -a "Bearer: abcXYZ" to set the Authorization header

## Resources
- https://portswigger.net/web-security/cors
- https://www.corben.io/advanced-cors-techniques/

---

This is based on [@tomnomnom's cors-blimey](https://github.com/tomnomnom/hacks/tree/master/cors-blimey).