Corsy – CORS Misconfiguration Scanner

What is CORS Misconfiguration Bug

What is CORS Misconfiguration Bug?

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy. However, it also provides potential for cross-domain attacks, if a website’s CORS policy is poorly configured and implemented.

If web application fails to properly validate the Origin header (check details section for more information) and returns, then any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.

To exploit CORS bug attacker still need some actions to get a huge impact, for example attacker would treat many victims to visit attacker’s website, if victim is logged in, then his personal information (cookie, tokens etc) automatically recorded in attacker’s server. Attacker can perform any action in the user’s account, bypassing CSRF tokens.

CORS Misconfiguration Scanner Tool

Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.

Corsy - Automated CORS Misconfiguration Scanner Tool


Corsy only works with Python 3 and has just one dependency:

  • requests

To install this dependency, navigate to Corsy directory and execute pip3 install requests


Using Corsy is pretty simple

python3 -u

Scan URLs from a file

python3 -i /path/urls.txt

Scan URLs from stdin

cat urls.txt | python3

Custom HTTP headers

python3 -u –headers “User-Agent: GoogleBot\nCookie: SESSION=Hacked”

Tests implemented

  • Pre-domain bypass
  • Post-domain bypass
  • Backtick bypass
  • Null origin bypass
  • Unescaped dot bypass
  • Underscore bypass
  • Invalid value
  • Wild card value
  • Origin reflection test
  • Third party allowance test
  • HTTP allowance test

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + nineteen =