From de57c593e84830e80e5021e29191c2823b89c05d Mon Sep 17 00:00:00 2001
From: AmirMohammad Safari <88091064+Osb0rn3@users.noreply.github.com>
Date: Thu, 12 Sep 2024 17:51:14 +0330
Subject: [PATCH] CORS misconfig improvements

---
 .../generic/cors-misconfig.yaml               | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/http/vulnerabilities/generic/cors-misconfig.yaml b/http/vulnerabilities/generic/cors-misconfig.yaml
index a30ec36ae0..56a7aaf1d5 100644
--- a/http/vulnerabilities/generic/cors-misconfig.yaml
+++ b/http/vulnerabilities/generic/cors-misconfig.yaml
@@ -2,14 +2,15 @@ id: cors-misconfig
 
 info:
   name: CORS Misconfiguration
-  author: nadino,g4l1t0,convisoappsec,pdteam,breno_css,nodauf
+  author: nadino,g4l1t0,convisoappsec,pdteam,breno_css,nodauf,amirmsafari
   severity: info
   reference:
     - https://portswigger.net/web-security/cors
+    - https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet
     - https://www.corben.io/advanced-cors-techniques/
     - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
   metadata:
-    max-request: 11
+    max-request: 29
   tags: cors,generic,misconfig
 
 http:
@@ -22,11 +23,29 @@ http:
     payloads:
       cors_origin:
         - "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain
+        - "http://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain
         - "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain
         - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain
         - "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain
+        - "https://localhost.{{tolower(rand_base(5))}}.com" # Localhost regex implementation edge case
+        - "http://localhost.{{tolower(rand_base(5))}}.com" # Localhost regex implementation edge case over http
+        - "http://s{{RDN}}" # Unencrypted domain ends with
         - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain
         - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain
+        - "https://{{FQDN}}.$.{{tolower(rand_base(5))}}.com" # Firefox and Safari allows $ as subdomain
+        - "https://{{FQDN}}.~.{{tolower(rand_base(5))}}.com" # Safari allows ~ as subdomain
+        - "https://{{FQDN}}.=.{{tolower(rand_base(5))}}.com" # Safari allows = as subdomain
+        - "https://{{FQDN}}.+.{{tolower(rand_base(5))}}.com" # Firefox and Safari allows + as subdomain
+        - "https://{{FQDN}}.&.{{tolower(rand_base(5))}}.com" # Safari allows & as subdomain
+        - "https://{{FQDN}}.*.{{tolower(rand_base(5))}}.com" # Safari allows * as subdomain
+        - "https://{{FQDN}}.).{{tolower(rand_base(5))}}.com" # Safari allows ) as subdomain
+        - "https://{{FQDN}}.(.{{tolower(rand_base(5))}}.com" # Safari allows ( as subdomain
+        - "https://{{FQDN}}.'.{{tolower(rand_base(5))}}.com" # Safari allows ' as subdomain
+        - "https://{{FQDN}}.!.{{tolower(rand_base(5))}}.com" # Safari allows ! as subdomain
+        - "https://{{FQDN}}.;.{{tolower(rand_base(5))}}.com" # Safari allows ; as subdomain
+        - "https://{{FQDN}}.,.{{tolower(rand_base(5))}}.com" # Safari allows , as subdomain
+        - "https://{{FQDN}}.-.{{tolower(rand_base(5))}}.com" # Arbitrary domain
+        - "https://{{FQDN}}._.{{tolower(rand_base(5))}}.com" # Arbitrary domain
         - "null" # null origin
         - "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain
         - "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http