Skip to content

Latest commit

 

History

History
55 lines (38 loc) · 1.56 KB

README.md

File metadata and controls

55 lines (38 loc) · 1.56 KB

crossdomain

Checking for CORS misconfiguration

Usage: python corser.py -h

  1. Scanning for list domains
  • python corser.py -list_domain ~/aquatone/target.com/urls.txt -origin attacker.com

the file is a list subdomains that's result from aquatone tool

alt text

  1. Bruteforce endpoints and then checking for cors
  • python corser.py -u https://target.com/ -list_endpoint ~/Desktop/listendpoint.txt -origin attacker.com

alt text

  1. Trying to bypass origin when we encounter filter

simple filter

<?php
if(isset($_SERVER['HTTP_ORIGIN'])){
	if(preg_match('/^http:\/\/dienpv\.com/', $_SERVER['HTTP_ORIGIN'])){
		header("Access-Control-Allow-Origin: ".$_SERVER['HTTP_ORIGIN']);
		header("Access-Control-Allow-Credentials: True");
	}
	else{
		header("Access-Control-Allow-Origin: "."http://dienpv.com");
		header("Access-Control-Allow-Credentials: True");
	}
}

echo "your code: hacker1337";
?>

alt text

  1. Gen Poc
  • python corser.py -poc GET
  • python corser.py -poc POST

alt text

additional options

-t : set number of threads

-header : custom your request if website requires authenticated cookie

ex: python corser.py -u https://target.com -header "Cookie:sessid=123456;role=user, Authorization: zxbdGDH7438"