Security News
Opengrep Emerges as Open Source Alternative Amid Semgrep Licensing Controversy
Opengrep forks Semgrep to preserve open source SAST in response to controversial licensing changes.
github.com/cryliss/gocors
A tool for scanning domains for CORS misconfigurations written in Go.
Final project for COMP 424 Software Security
Professor: Dr. Wonju Lee
By:
Sabra Bilodeau
Sally Chung
gocors
tests the follow CORS misconfigurations:
For more information on each, including sample exploits and possible fixes for the vulnerabilities, please click the link provided.
Clone the repository:
git clone https://github.com/Cryliss/gocors.git
Change directories to the repository's directory:
cd gocors
Build the application:
make build
To run a scan on a signle URL, use ./gocors -url https://example.com
.
To run scans on multiple URLs, save the URLs to a .txt
file and run the program like so:
./gocors -input global_top_100_domains.txt
To add additional configuration to a request, there are two options.
conf.json
to reflect your desired configuration.Flag | Description | Default |
---|---|---|
-url | The URL to scan for CORS misconfiguration | "" |
-headers | Include headers | "" |
-method | Include another method other than GET | "GET" |
-input | A text file with a list of domains or a json configuration file | "" |
-threads | Number of threads to use for the scan | 10 |
-output | Directory to save the results to a JSON file. | "" |
-timeout | Set requests timeout | "10s" |
-proxy | Use a proxy (HTTP) | "" |
-h | Show the help information & exit | N/A |
-verbose | Enables the UI to display realtime results | false |
./gocors -url https://example.com
./gocors -url https://example.com -headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"
./gocors -url https://example.com -method POST
./gocors -input global_top_100_domains.txt
./gocors -url https://example.com -threads 20
./gocors -url https://example.com -output "/path/to/your/results/directory/"
./gocors -url https://example.com -timeout 20s
./gocors -url https://example.com -proxy http://127.0.0.1:4545
./gocors -url https://example.com -verbose true
gocors
in your own applicationRun go get github.com/Cryliss/gocors
in your terminal.
package main
import (
"github.com/Cryliss/gocors"
"github.com/Cryliss/gocors/scanner"
)
func main() {
// Set our scanner configuration variables
output := "/path/to/your/output/directory"
timeout := "10s"
threads := 10
// Create a new scanner.
corsScanner := gocors.InitGoCors(output, timeout, threads)
/*
In order to start running tests with gocors, we need to create them first.
Creating tests requires an array of domain names, a scanner.Headers variable
which is a map[string]string of header name-value pairs, a request method and
a proxy URL. If you want to set custom headers, do:
headers["cookie"] = "SESSION=Hacked"
After creating our headers variable and domain names, then we can call the create
tests function, which will set scanner.Conf.Tests value at the end.
*/
var headers scanner.Headers
domains := []string{"https://www.instagram.com/"}
corsScanner.CreateTests(domains, headers, "GET", "")
// Now that we have our tests set, we can go ahead and start the scanner.
// Once the scan finishes, it will automatically save your results to the output
// directory, if one is provided.
corsScanner.Start()
}
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Opengrep forks Semgrep to preserve open source SAST in response to controversial licensing changes.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.