CORStest – CORS Misconfiguration scanner

CORStest is a quick & dirty Python 2 tool to find Cross-Origin Resource Sharing (CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs.

CORStest - CORS Misconfiguration scanner
CORStest – CORS Misconfiguration scanner

Currently, the following potential vulnerabilities are detected by sending a certain Origin request header and checking for the Access-Control-Allow-Origin response header:

  • Developer backdoor: Insecure dev origins like JSFiddle or CodePen are allowed to access this resource
  • Origin reflection: The origin is simply echoed in ACAO header, any site is allowed to access this resource
  • Null misconfiguration: Any site is allowed to access by forcing the null origin via a sandboxed iframe
  • Pre-domain wildcard: notdomain.com is allowed access, which can simply be registered by an attacker
  • Post-domain wildcard: domain.com.evil.com is allowed access, which can be registered by an attacker
  • Subdomains allowed: sub.domain.com allowed access, exploitable if attacker finds XSS in any subdomain
  • Non-ssl sites allowed: A http origin is allowed access to a https resource, allows MitM to break encryption
  • Invalid CORS header: Wrong use of wildcard or multiple origins, not a security problem but should be fixed

You can read more and download the tool over here: https://github.com/RUB-NDS/CORStest

Share