New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket

github.com/cryliss/gocors

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/cryliss/gocors

  • v0.0.0-20211202025127-0a870c4e7a66
  • Source
  • Go
  • Socket score

Version published
Created
Source

gocors

Go Reference GoReportCard example

A tool for scanning domains for CORS misconfigurations written in Go.
Final project for COMP 424 Software Security
Professor: Dr. Wonju Lee

By:
Sabra Bilodeau
Sally Chung

Misconfigurations Tested

gocors tests the follow CORS misconfigurations:

For more information on each, including sample exploits and possible fixes for the vulnerabilities, please click the link provided.

Installation

Clone the repository:
git clone https://github.com/Cryliss/gocors.git

Change directories to the repository's directory:
cd gocors

Build the application:
make build

Usage

Simple Scans

To run a scan on a signle URL, use ./gocors -url https://example.com.

To run scans on multiple URLs, save the URLs to a .txt file and run the program like so:

./gocors -input global_top_100_domains.txt

Configurable Scans

To add additional configuration to a request, there are two options.

  1. Add any of the following command line flags to your input
  2. Update the provided conf.json to reflect your desired configuration.

CLI flags

FlagDescriptionDefault
-urlThe URL to scan for CORS misconfiguration""
-headersInclude headers""
-methodInclude another method other than GET"GET"
-inputA text file with a list of domains or a json configuration file""
-threadsNumber of threads to use for the scan10
-outputDirectory to save the results to a JSON file.""
-timeoutSet requests timeout"10s"
-proxyUse a proxy (HTTP)""
-hShow the help information & exitN/A
-verboseEnables the UI to display realtime resultsfalse

Example Usage of the CLI flags

  • URL: ./gocors -url https://example.com
  • Headers: ./gocors -url https://example.com -headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"
  • Method: ./gocors -url https://example.com -method POST
  • Input: ./gocors -input global_top_100_domains.txt
  • Threads: ./gocors -url https://example.com -threads 20
  • Output: ./gocors -url https://example.com -output "/path/to/your/results/directory/"
  • Timeout: ./gocors -url https://example.com -timeout 20s
  • Proxy: ./gocors -url https://example.com -proxy http://127.0.0.1:4545
  • Verbose: ./gocors -url https://example.com -verbose true

Using gocors in your own application

Run go get github.com/Cryliss/gocors in your terminal.

package main

import (
    "github.com/Cryliss/gocors"
    "github.com/Cryliss/gocors/scanner"
)

func main() {
    // Set our scanner configuration variables
    output := "/path/to/your/output/directory"
    timeout := "10s"
    threads := 10

    // Create a new scanner.
    corsScanner := gocors.InitGoCors(output, timeout, threads)

    /*
    In order to start running tests with gocors, we need to create them first.

    Creating tests requires an array of domain names, a scanner.Headers variable
    which is a map[string]string of header name-value pairs, a request method and
    a proxy URL. If you want to set custom headers, do:
    headers["cookie"] = "SESSION=Hacked"

    After creating our headers variable and domain names, then we can call the create
    tests function, which will set scanner.Conf.Tests value at the end.
    */
    var headers scanner.Headers
    domains := []string{"https://www.instagram.com/"}
    corsScanner.CreateTests(domains, headers, "GET", "")

    // Now that we have our tests set, we can go ahead and start the scanner.
    // Once the scan finishes, it will automatically save your results to the output
    // directory, if one is provided.
    corsScanner.Start()
}

FAQs

Package last updated on 02 Dec 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc