Home

Awesome

GitHub release Github all releases HitCount Total alerts Language grade: Python MIT license

corsair_scan

Welcome to Corsair_scan

Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS) misconfigurations. CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. If this is not properly configured, unauthorised domains can access to those resources.

What is CORS?

CORS is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It works by adding new HTTP headers that let servers describe which origins are permitted to read that information from a web browser.

CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

The most common and problematic security issue when implementing CORS is the failure to validate/whitelist requestors. Too often, we see the value for Access-Control-Allow-Origin set to ‘*’.

Unfortunately, this is the default and as such allows any domain on the web to access that site’s resources.

As per the OWASP Application Security Verification Standard (ASVS), requirement 14.5.3 states

Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin.

How Does corsair_scan work?

Corsair_scan works by resending a request (or list of requests) received as a parameter and then injecting a value in the Origin header. Depending on the content of the Access-Control-Allow-Origin header in the response to this request, we can assert if CORS configuration is correct or not. There are three scenarios that indicate that CORS is misconfigured:

If CORS is found to be misconfigured, we check to see if the response contains the header Access-Control-Allow-Credentials, which means that the server allows credentials to be included on cross-origin requests.

Often, CORS configurations make use of wildcards, for example accepting anything under * example.com *. This means that the origin domain.com.evil.com will be accepted as it matches the given regex. To try and combat this, corsair_scan tests four scenarios:

How Do I Install It?

This project was developed with Python 3.9, but should work with any Python 3.x version. The best way to install it is using pip.

pip3 install corsair_scan --user

How Do I Use It?

Corsair can be used both as a python module or as a CLI.

Python Module

The method that performs the CORS scan is corsair_scan. Here is its definition:

corsair_scan

Receives a list of requests and a parameter to enable/disable certificate check in the request

Input:

Output:

Example

import corsair_scan.corsair_scan as corsair
url_data = {}
data = []
verb =  'GET'
url = 'https://example.com/'
params = 'user=user1&password=1234'
headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
           'Accept-Language': 'en-GB,en;q=0.5', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1',
           'Origin': 'https://example.com',
           'Host': 'example.com'}

url_data['verb'] = verb
url_data['url'] = url
url_data['params'] = params
url_data['headers'] = headers
data.append(url_data)

print (corsair.corsair_scan(data, verify=True))

Response:

{'report': [{'fake_origin': {'Access-Control-Allow-Origin': 'https://scarymonster.com',
                             'Origin': 'https://scarymonster.com',
                             'credentials': True,
                             'error': False,
                             'misconfigured': True,
                             'status_code': 200},
             'post-domain': {'Access-Control-Allow-Origin': 'https://example.com.scarymonster.com',
                             'Origin': 'https://example.com.scarymonster.com',
                             'credentials': True,
                             'error': False,
                             'misconfigured': True,
                             'status_code': 200},
             'pre-domain': {'Access-Control-Allow-Origin': 'https://scarymonsterexample.com',
                            'Origin': ' https://scarymonsterexample.com',
                            'credentials': True,
                            'error': False,
                            'misconfigured': True,
                            'status_code': 200},
             'sub-domain': {'Access-Control-Allow-Origin': 'https://scarymonster.example.com',
                            'Origin': 'https://scarymonster.example.com',
                            'credentials': True,
                            'error': False,
                            'misconfigured': True,
                            'status_code': 200},
             'url': 'https://example.com/',
             'verb': 'GET'}],
 'summary': {'error': [], 'misconfigured': [{'credentials': True,
                    'misconfigured_test': ['fake_origin',
                                           'sub-domain',
                                           'pre-domain',
                                           'post-domain'],
                    'status_code': 200,
                    'url': 'https://domain.com',
                    'verb': 'GET'}]}}

CLI

As part of the pip package installation, a CLI is installed. The syntax to execute is as follows:

corsair FILE [-nv/--noverify][-r/--report]

The CLI needs a json file with a list of requests perform the scan. An example file is provided as part of the tests

:

[{
  "verb": "GET",
  "url": "https://example.com/",
  "params": "user=user1&password=1234",
  "headers": {
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "en-GB,en;q=0.5",
    "Connection": "keep-alive",
    "Upgrade-Insecure-Requests": "1",
    "Origin": "https://example.com",
    "Host": "example.com"
  }
}]

There are also two optional parameters:

Example

<img align="left" src="images/cli-report.png" alt="CLI report" style="zoom:80%;" />

Roadmap

Who Is Behind It?

Corsair_scan was developed by the Santander UK Security Engineering team who are: