nuclei-templates/vulnerabilities/generic/cors-misconfig.yaml

45 lines
1.7 KiB
YAML
Raw Normal View History

2021-08-25 22:54:06 +00:00
id: cors-misconfig
info:
name: CORS Misconfiguration
author: nadino,g4l1t0,convisoappsec,pdteam,breno_css
2021-08-25 22:54:06 +00:00
severity: info
reference:
- https://portswigger.net/web-security/cors
- https://www.corben.io/advanced-cors-techniques/
- https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
tags: cors,generic,misconfig
2021-08-25 22:54:06 +00:00
requests:
- raw:
- |
2022-07-02 10:20:54 +00:00
GET / HTTP/1.1
Host: {{Hostname}}
Origin: {{cors_origin}}
- |
GET {{path}} HTTP/1.1
2021-08-25 22:54:06 +00:00
Host: {{Hostname}}
Origin: {{cors_origin}}
payloads:
cors_origin:
- "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain
- "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain
- "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain
- "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain
- "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain
- "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain
- "null" # null origin
- "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain
- "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http
stop-at-first-match: true
2021-08-25 22:54:06 +00:00
matchers-condition: or
matchers:
- type: dsl
name: arbitrary-origin
dsl:
- "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')"
2021-08-25 22:54:06 +00:00
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
condition: and