nuclei-templates/vulnerabilities/generic/cors-misconfig.yaml

67 lines
1.8 KiB
YAML
Raw Normal View History

2021-08-25 22:54:06 +00:00
id: cors-misconfig
info:
name: Basic CORS misconfiguration
author: nadino,G4L1T0,convisoappsec,pdteam
severity: info
reference: https://portswigger.net/web-security/cors
tags: cors,generic
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: {{randstr}}.com
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: null
# - |
# GET / HTTP/1.1
# Host: {{Hostname}}
# Origin: {{randstr}}.{{Hostname}}
#
# - |
# GET / HTTP/1.1
# Host: {{Hostname}}
# Origin: {{Hostname}}{{randstr}}
# TO DO for future as currently {{Hostname}} is not supported in matchers
matchers-condition: or
matchers:
- type: dsl
name: arbitrary-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.com')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: null-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: null')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: wildcard-acac
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and
- type: dsl
name: wildcard-no-acac
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
- "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and