github.com/cryliss/gocors
A tool for scanning domains for CORS misconfigurations written in Go.
Final project for COMP 424 Software Security
Professor: Dr. Wonju Lee
By:
Sabra Bilodeau
Sally Chung
gocors tests the follow CORS misconfigurations:
For more information on each, including sample exploits and possible fixes for the vulnerabilities, please click the link provided.
Clone the repository:
git clone https://github.com/Cryliss/gocors.git
Change directories to the repository's directory:
cd gocors
Build the application:
make build
To run a scan on a signle URL, use ./gocors -url https://example.com.
To run scans on multiple URLs, save the URLs to a .txt file and run the program like so:
./gocors -input global_top_100_domains.txt
To add additional configuration to a request, there are two options.
conf.json to reflect your desired configuration.| Flag | Description | Default |
|---|---|---|
| -url | The URL to scan for CORS misconfiguration | "" |
| -headers | Include headers | "" |
| -method | Include another method other than GET | "GET" |
| -input | A text file with a list of domains or a json configuration file | "" |
| -threads | Number of threads to use for the scan | 10 |
| -output | Directory to save the results to a JSON file. | "" |
| -timeout | Set requests timeout | "10s" |
| -proxy | Use a proxy (HTTP) | "" |
| -h | Show the help information & exit | N/A |
| -verbose | Enables the UI to display realtime results | false |
./gocors -url https://example.com./gocors -url https://example.com -headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"./gocors -url https://example.com -method POST./gocors -input global_top_100_domains.txt./gocors -url https://example.com -threads 20./gocors -url https://example.com -output "/path/to/your/results/directory/"./gocors -url https://example.com -timeout 20s./gocors -url https://example.com -proxy http://127.0.0.1:4545./gocors -url https://example.com -verbose truegocors in your own applicationRun go get github.com/Cryliss/gocors in your terminal.
package main
import (
"github.com/Cryliss/gocors"
"github.com/Cryliss/gocors/scanner"
)
func main() {
// Set our scanner configuration variables
output := "/path/to/your/output/directory"
timeout := "10s"
threads := 10
// Create a new scanner.
corsScanner := gocors.InitGoCors(output, timeout, threads)
/*
In order to start running tests with gocors, we need to create them first.
Creating tests requires an array of domain names, a scanner.Headers variable
which is a map[string]string of header name-value pairs, a request method and
a proxy URL. If you want to set custom headers, do:
headers["cookie"] = "SESSION=Hacked"
After creating our headers variable and domain names, then we can call the create
tests function, which will set scanner.Conf.Tests value at the end.
*/
var headers scanner.Headers
domains := []string{"https://www.instagram.com/"}
corsScanner.CreateTests(domains, headers, "GET", "")
// Now that we have our tests set, we can go ahead and start the scanner.
// Once the scan finishes, it will automatically save your results to the output
// directory, if one is provided.
corsScanner.Start()
}
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI checkers validate stolen emails against TikTok and Instagram APIs, enabling targeted account attacks and dark web credential sales.
Security News
The Node.js TSC opted not to endorse a feature bounty program, citing concerns about incentives, governance, and project neutrality.
Research
Security News
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.