nuclei-templates/http/vulnerabilities/generic/cors-misconfig.yaml

id: cors-misconfig

info:
  name: CORS Misconfiguration
  author: nadino,g4l1t0,convisoappsec,pdteam,breno_css,nodauf
  severity: info
  reference:
    - https://portswigger.net/web-security/cors
    - https://www.corben.io/advanced-cors-techniques/
    - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
  tags: cors,generic,misconfig
  metadata:
    max-request: 11

http:
  - raw:
      - |
        GET  HTTP/1.1
        Host: {{Hostname}}
        Origin: {{cors_origin}}

    payloads:
      cors_origin:
        - "https://{{tolower(rand_base(5))}}{{RDN}}"     # Arbitrary domain
        - "https://{{tolower(rand_base(5))}}.com"             # Arbitrary domain
        - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com"     # Arbitrary domain
        - "https://{{FQDN}}{{tolower(rand_base(5))}}.com"      # Arbitrary domain
        - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com"    # Arbitrary domain
        - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com"  # Arbitrary domain
        - "null"                                              # null origin
        - "https://{{tolower(rand_base(5))}}.{{RDN}}"         # Arbitrary subdomain
        - "http://{{tolower(rand_base(5))}}.{{RDN}}"          # Arbitrary subdomain over http
        - "https://{{replace(FQDN,'.','a')}}"          # Replace . by a random character to abuse if regex is used
        - "http://{{replace(FQDN,'.','a')}}"          # Replace . by a random character to abuse if regex is used


    stop-at-first-match: true
    matchers:
      - type: dsl
        name: arbitrary-origin
        dsl:
          - "contains(tolower(header), 'access-control-allow-origin: {{cors_origin}}')"
          - "contains(tolower(header), 'access-control-allow-credentials: true')"
        condition: and