Merge pull request #2355 from G4L1T0/corsmisc

add cors-misconfig.yaml
2021-08-26 04:26:37 +05:30 · 2021-08-26 04:26:37 +05:30 · e66463d466
parent d78f7ffa3b 1999a9b560
commit e66463d466
2 changed files with 66 additions and 22 deletions
--- a/vulnerabilities/generic/basic-cors.yaml
+++ b/vulnerabilities/generic/basic-cors.yaml
@ -1,22 +0,0 @@
-id: basic-cors-misconfig
-
-info:
-  name: Basic CORS misconfiguration
-  author: nadino
-  severity: info
-  tags: cors,generic
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}"
-    headers:
-      Origin: https://evil.com
-
-    matchers:
-      - type: word
-        words:
-          - "Access-Control-Allow-Origin: https://evil.com"
-          - "Access-Control-Allow-Credentials: true"
-        condition: and
-        part: header
--- a/vulnerabilities/generic/cors-misconfig.yaml
+++ b/vulnerabilities/generic/cors-misconfig.yaml
@ -0,0 +1,66 @@
+id: cors-misconfig
+
+info:
+  name: Basic CORS misconfiguration
+  author: nadino,G4L1T0,convisoappsec,pdteam
+  severity: info
+  reference: https://portswigger.net/web-security/cors
+  tags: cors,generic
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{randstr}}.com
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Origin: null
+
+#      - |
+#        GET / HTTP/1.1
+#        Host: {{Hostname}}
+#        Origin: {{randstr}}.{{Hostname}}
+#
+#      - |
+#        GET / HTTP/1.1
+#        Host: {{Hostname}}
+#        Origin: {{Hostname}}{{randstr}}
+
+# TO DO for future as currently {{Hostname}} is not supported in matchers
+
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        name: arbitrary-origin
+        dsl:
+          - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.com')"
+          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
+        condition: and
+
+      - type: dsl
+        name: null-origin
+        dsl:
+          - "contains(tolower(all_headers), 'access-control-allow-origin: null')"
+          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
+        condition: and
+
+      - type: dsl
+        name: wildcard-acac
+        dsl:
+          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
+          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
+        condition: and
+
+      - type: dsl
+        name: wildcard-no-acac
+        dsl:
+          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
+          - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
+        condition: and