From f95e43a5af8cef75f84e6fd0875b0f5e330179a5 Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandeep@projectdiscovery.io>
Date: Sat, 16 Apr 2022 21:06:53 +0530
Subject: [PATCH] CORS misconfig improvements (#3988)

* CORS misconfig improvements

* more updates

* Update cors-misconfig.yaml

* misc update
---
 vulnerabilities/generic/cors-misconfig.yaml | 67 +++++++--------------
 1 file changed, 22 insertions(+), 45 deletions(-)

diff --git a/vulnerabilities/generic/cors-misconfig.yaml b/vulnerabilities/generic/cors-misconfig.yaml
index a476df65b4..0c21683c10 100644
--- a/vulnerabilities/generic/cors-misconfig.yaml
+++ b/vulnerabilities/generic/cors-misconfig.yaml
@@ -1,63 +1,40 @@
 id: cors-misconfig
 
 info:
-  name: Basic CORS misconfiguration
-  author: nadino,G4L1T0,convisoappsec,pdteam
+  name: CORS Misconfiguration
+  author: nadino,g4l1t0,convisoappsec,pdteam,breno_css
   severity: info
-  reference: https://portswigger.net/web-security/cors
-  tags: cors,generic
+  reference:
+    - https://portswigger.net/web-security/cors
+    - https://www.corben.io/advanced-cors-techniques/
+    - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
+  tags: cors,generic,misconfig
 
 requests:
   - raw:
       - |
         GET / HTTP/1.1
         Host: {{Hostname}}
+        Origin: {{cors_origin}}
 
-      - |
-        GET / HTTP/1.1
-        Host: {{Hostname}}
-        Origin: {{randstr}}.tld
-
-      - |
-        GET / HTTP/1.1
-        Host: {{Hostname}}
-        Origin: null
-
-#  TODO's for future as currently {{Hostname}} is not supported in matchers
-#        Origin: {{randstr}}.{{Hostname}}
-#        Origin: {{Hostname}}.{{randstr}}.tld
-#        Origin: {{Hostname}}{{randstr}}.tld
-#        Origin: {{Hostname}}_.{{randstr}}.tld
-#        Origin: {{Hostname}}%60.{{randstr}}.tld
-#        Origin: http://{{Hostname}}
-#        Origin: http://{{randstr}}.{{Hostname}}
+    payloads:
+      cors_origin:
+        - "https://{{tolower(rand_base(5))}}{{RDN}}"     # Arbitrary domain
+        - "https://{{tolower(rand_base(5))}}.com"             # Arbitrary domain
+        - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com"     # Arbitrary domain
+        - "https://{{FQDN}}{{tolower(rand_base(5))}}.com"      # Arbitrary domain
+        - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com"    # Arbitrary domain
+        - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com"  # Arbitrary domain
+        - "null"                                              # null origin
+        - "https://{{tolower(rand_base(5))}}.{{RDN}}"         # Arbitrary subdomain
+        - "http://{{tolower(rand_base(5))}}.{{RDN}}"          # Arbitrary subdomain over http
 
+    stop-at-first-match: true
     matchers-condition: or
     matchers:
       - type: dsl
         name: arbitrary-origin
         dsl:
-          - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')"
+          - "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')"
           - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
-        condition: and
-
-      - type: dsl
-        name: null-origin
-        dsl:
-          - "contains(tolower(all_headers), 'access-control-allow-origin: null')"
-          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
-        condition: and
-
-      - type: dsl
-        name: wildcard-acac
-        dsl:
-          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
-          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
-        condition: and
-
-      - type: dsl
-        name: wildcard-no-acac
-        dsl:
-          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
-          - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
-        condition: and
+        condition: and
\ No newline at end of file