From d8e0fd3ef0ab77ba5b07b00a26fa755894a4c34f Mon Sep 17 00:00:00 2001 From: G4L1T0 Date: Mon, 9 Aug 2021 11:40:04 -0300 Subject: [PATCH 1/7] add cors-misconfig.yaml --- cors-misconfig.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 cors-misconfig.yaml diff --git a/cors-misconfig.yaml b/cors-misconfig.yaml new file mode 100644 index 0000000000..4d3fff5153 --- /dev/null +++ b/cors-misconfig.yaml @@ -0,0 +1,23 @@ +id: cors-misconfig + +info: + name: Cross-Origin Resource Sharing Misconfiguration + author: G4L1T0 and @convisoappsec + severity: info + tags: cors + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 + Origin: https://www.convisoappsec.com + matchers: + - type: word + part: header + words: + - "Access-Control-Allow-Origin: https://www.convisoappsec.com" + - "Access-Control-Allow-Origin: *" + condition: or + From e98fb7179e1c2ca2895806fe3dd78ef7b651b8c6 Mon Sep 17 00:00:00 2001 From: G4L1T0 Date: Mon, 9 Aug 2021 11:56:37 -0300 Subject: [PATCH 2/7] update cors-misconfig.yaml --- .../generic/cors-misconfig.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cors-misconfig.yaml => vulnerabilities/generic/cors-misconfig.yaml (100%) diff --git a/cors-misconfig.yaml b/vulnerabilities/generic/cors-misconfig.yaml similarity index 100% rename from cors-misconfig.yaml rename to vulnerabilities/generic/cors-misconfig.yaml From a44324ec2f2b57bea9a3e2a6d2a696d9771ccef7 Mon Sep 17 00:00:00 2001 From: G4L1T0 Date: Mon, 9 Aug 2021 11:57:37 -0300 Subject: [PATCH 3/7] updatev2 cors-misconfig.yaml --- vulnerabilities/generic/cors-misconfig.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/vulnerabilities/generic/cors-misconfig.yaml b/vulnerabilities/generic/cors-misconfig.yaml index 4d3fff5153..6c3b810df0 100644 --- a/vulnerabilities/generic/cors-misconfig.yaml +++ b/vulnerabilities/generic/cors-misconfig.yaml @@ -2,7 +2,7 @@ id: cors-misconfig info: name: Cross-Origin Resource Sharing Misconfiguration - author: G4L1T0 and @convisoappsec + author: G4L1T0 and @convisoappsec severity: info tags: cors @@ -20,4 +20,3 @@ requests: - "Access-Control-Allow-Origin: https://www.convisoappsec.com" - "Access-Control-Allow-Origin: *" condition: or - From cb94b580094c97218cd87b2c76f78f63aeaa09f5 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 11 Aug 2021 13:13:45 +0530 Subject: [PATCH 4/7] Update basic-cors.yaml --- vulnerabilities/generic/basic-cors.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/generic/basic-cors.yaml b/vulnerabilities/generic/basic-cors.yaml index a224186e83..85f9ebd824 100644 --- a/vulnerabilities/generic/basic-cors.yaml +++ b/vulnerabilities/generic/basic-cors.yaml @@ -2,7 +2,7 @@ id: basic-cors-misconfig info: name: Basic CORS misconfiguration - author: nadino + author: nadino,G4L1T0,convisoappsec severity: info tags: cors @@ -13,6 +13,7 @@ requests: headers: Origin: https://evil.com + matchers-condition: or matchers: - type: word words: @@ -20,3 +21,8 @@ requests: - "Access-Control-Allow-Credentials: true" condition: and part: header + + - type: word + part: header + words: + - "Access-Control-Allow-Origin: *" From 5ac272597b8ab5d98d76740bf8edecfc8308c443 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 11 Aug 2021 13:14:04 +0530 Subject: [PATCH 5/7] Delete cors-misconfig.yaml --- vulnerabilities/generic/cors-misconfig.yaml | 22 --------------------- 1 file changed, 22 deletions(-) delete mode 100644 vulnerabilities/generic/cors-misconfig.yaml diff --git a/vulnerabilities/generic/cors-misconfig.yaml b/vulnerabilities/generic/cors-misconfig.yaml deleted file mode 100644 index 6c3b810df0..0000000000 --- a/vulnerabilities/generic/cors-misconfig.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: cors-misconfig - -info: - name: Cross-Origin Resource Sharing Misconfiguration - author: G4L1T0 and @convisoappsec - severity: info - tags: cors - -requests: - - raw: - - | - GET / HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 - Origin: https://www.convisoappsec.com - matchers: - - type: word - part: header - words: - - "Access-Control-Allow-Origin: https://www.convisoappsec.com" - - "Access-Control-Allow-Origin: *" - condition: or From b466fce758464476a2a822d244d834d893d6ae2a Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 11 Aug 2021 13:15:04 +0530 Subject: [PATCH 6/7] Update basic-cors.yaml --- vulnerabilities/generic/basic-cors.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/generic/basic-cors.yaml b/vulnerabilities/generic/basic-cors.yaml index 85f9ebd824..f652c891f0 100644 --- a/vulnerabilities/generic/basic-cors.yaml +++ b/vulnerabilities/generic/basic-cors.yaml @@ -4,7 +4,8 @@ info: name: Basic CORS misconfiguration author: nadino,G4L1T0,convisoappsec severity: info - tags: cors + reference: https://portswigger.net/web-security/cors + tags: cors,generic requests: - method: GET From 1999a9b560fbf4331e04da6d9da4b288de5aa0ac Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 26 Aug 2021 04:24:06 +0530 Subject: [PATCH 7/7] Enhanced CORS checks --- vulnerabilities/generic/basic-cors.yaml | 29 --------- vulnerabilities/generic/cors-misconfig.yaml | 66 +++++++++++++++++++++ 2 files changed, 66 insertions(+), 29 deletions(-) delete mode 100644 vulnerabilities/generic/basic-cors.yaml create mode 100644 vulnerabilities/generic/cors-misconfig.yaml diff --git a/vulnerabilities/generic/basic-cors.yaml b/vulnerabilities/generic/basic-cors.yaml deleted file mode 100644 index 0861b5ff8b..0000000000 --- a/vulnerabilities/generic/basic-cors.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: basic-cors-misconfig - -info: - name: Basic CORS misconfiguration - author: nadino,G4L1T0,convisoappsec - severity: info - reference: https://portswigger.net/web-security/cors - tags: cors,generic - -requests: - - method: GET - path: - - "{{BaseURL}}" - headers: - Origin: https://evil.com - - matchers-condition: or - matchers: - - type: word - words: - - "Access-Control-Allow-Origin: https://evil.com" - - "Access-Control-Allow-Credentials: true" - condition: and - part: header - - - type: word - part: header - words: - - "Access-Control-Allow-Origin: *" diff --git a/vulnerabilities/generic/cors-misconfig.yaml b/vulnerabilities/generic/cors-misconfig.yaml new file mode 100644 index 0000000000..8e814fade3 --- /dev/null +++ b/vulnerabilities/generic/cors-misconfig.yaml @@ -0,0 +1,66 @@ +id: cors-misconfig + +info: + name: Basic CORS misconfiguration + author: nadino,G4L1T0,convisoappsec,pdteam + severity: info + reference: https://portswigger.net/web-security/cors + tags: cors,generic + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Origin: {{randstr}}.com + + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Origin: null + +# - | +# GET / HTTP/1.1 +# Host: {{Hostname}} +# Origin: {{randstr}}.{{Hostname}} +# +# - | +# GET / HTTP/1.1 +# Host: {{Hostname}} +# Origin: {{Hostname}}{{randstr}} + +# TO DO for future as currently {{Hostname}} is not supported in matchers + + matchers-condition: or + matchers: + - type: dsl + name: arbitrary-origin + dsl: + - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.com')" + - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" + condition: and + + - type: dsl + name: null-origin + dsl: + - "contains(tolower(all_headers), 'access-control-allow-origin: null')" + - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" + condition: and + + - type: dsl + name: wildcard-acac + dsl: + - "contains(tolower(all_headers), 'access-control-allow-origin: *')" + - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" + condition: and + + - type: dsl + name: wildcard-no-acac + dsl: + - "contains(tolower(all_headers), 'access-control-allow-origin: *')" + - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')" + condition: and