nuclei-templates/vulnerabilities/generic/cors-misconfig.yaml

id: cors-misconfig

info:
  name: Basic CORS misconfiguration
  author: nadino,G4L1T0,convisoappsec,pdteam
  severity: info
  reference: https://portswigger.net/web-security/cors
  tags: cors,generic

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{randstr}}.tld

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: null

#  TODO's for future as currently {{Hostname}} is not supported in matchers
#        Origin: {{randstr}}.{{Hostname}}
#        Origin: {{Hostname}}.{{randstr}}.tld
#        Origin: {{Hostname}}{{randstr}}.tld
#        Origin: {{Hostname}}_.{{randstr}}.tld
#        Origin: {{Hostname}}%60.{{randstr}}.tld
#        Origin: http://{{Hostname}}
#        Origin: http://{{randstr}}.{{Hostname}}

    matchers-condition: or
    matchers:
      - type: dsl
        name: arbitrary-origin
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and

      - type: dsl
        name: null-origin
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: null')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and

      - type: dsl
        name: wildcard-acac
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and

      - type: dsl
        name: wildcard-no-acac
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
          - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and
Enhanced CORS checks 2021-08-25 22:54:06 +00:00			`id: cors-misconfig`

			`info:`
			`name: Basic CORS misconfiguration`
			`author: nadino,G4L1T0,convisoappsec,pdteam`
			`severity: info`
			`reference: https://portswigger.net/web-security/cors`
			`tags: cors,generic`

			`requests:`
			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
misc update 2021-09-11 18:16:31 +00:00			`Origin: {{randstr}}.tld`
Enhanced CORS checks 2021-08-25 22:54:06 +00:00
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: null`

misc update 2021-09-11 18:16:31 +00:00			`# TODO's for future as currently {{Hostname}} is not supported in matchers`
Enhanced CORS checks 2021-08-25 22:54:06 +00:00			`# Origin: {{randstr}}.{{Hostname}}`
misc update 2021-09-11 18:16:31 +00:00			`# Origin: {{Hostname}}.{{randstr}}.tld`
			`# Origin: {{Hostname}}{{randstr}}.tld`
			`# Origin: {{Hostname}}_.{{randstr}}.tld`
			`# Origin: {{Hostname}}%60.{{randstr}}.tld`
			`# Origin: http://{{Hostname}}`
			`# Origin: http://{{randstr}}.{{Hostname}}`
Enhanced CORS checks 2021-08-25 22:54:06 +00:00
			`matchers-condition: or`
			`matchers:`
			`- type: dsl`
			`name: arbitrary-origin`
			`dsl:`
misc update 2021-09-11 18:16:31 +00:00			`- "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')"`
Enhanced CORS checks 2021-08-25 22:54:06 +00:00			`- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"`
			`condition: and`

			`- type: dsl`
			`name: null-origin`
			`dsl:`
			`- "contains(tolower(all_headers), 'access-control-allow-origin: null')"`
			`- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"`
			`condition: and`

			`- type: dsl`
			`name: wildcard-acac`
			`dsl:`
			`- "contains(tolower(all_headers), 'access-control-allow-origin: *')"`
			`- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"`
			`condition: and`

			`- type: dsl`
			`name: wildcard-no-acac`
			`dsl:`
			`- "contains(tolower(all_headers), 'access-control-allow-origin: *')"`
			`- "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"`
			`condition: and`