What is CORS Misconfiguration Bug?
Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy. However, it also provides potential for cross-domain attacks, if a website’s CORS policy is poorly configured and implemented.
If web application fails to properly validate the Origin header (check details section for more information) and returns, then any website can issue requests made with user credentials and read the responses to these requests. Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.
To exploit CORS bug attacker still need some actions to get a huge impact, for example attacker would treat many victims to visit attacker’s website, if victim is logged in, then his personal information (cookie, tokens etc) automatically recorded in attacker’s server. Attacker can perform any action in the user’s account, bypassing CSRF tokens.
CORS Misconfiguration Scanner Tool
Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
Requirements
Corsy only works with Python 3 and has just one dependency:
requests
To install this dependency, navigate to Corsy directory and execute pip3 install requests
Usage
Using Corsy is pretty simple
Scan URLs from a file
Scan URLs from stdin
Custom HTTP headers
Tests implemented
- Pre-domain bypass
- Post-domain bypass
- Backtick bypass
- Null origin bypass
- Unescaped dot bypass
- Underscore bypass
- Invalid value
- Wild card value
- Origin reflection test
- Third party allowance test
- HTTP allowance test
