CORS misconfig improvements (#3988)
* CORS misconfig improvements * more updates * Update cors-misconfig.yaml * misc updatepatch-1
parent
f408247e8e
commit
f95e43a5af
|
@ -1,63 +1,40 @@
|
||||||
id: cors-misconfig
|
id: cors-misconfig
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Basic CORS misconfiguration
|
name: CORS Misconfiguration
|
||||||
author: nadino,G4L1T0,convisoappsec,pdteam
|
author: nadino,g4l1t0,convisoappsec,pdteam,breno_css
|
||||||
severity: info
|
severity: info
|
||||||
reference: https://portswigger.net/web-security/cors
|
reference:
|
||||||
tags: cors,generic
|
- https://portswigger.net/web-security/cors
|
||||||
|
- https://www.corben.io/advanced-cors-techniques/
|
||||||
|
- https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
|
||||||
|
tags: cors,generic,misconfig
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET / HTTP/1.1
|
GET / HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
Origin: {{cors_origin}}
|
||||||
|
|
||||||
- |
|
payloads:
|
||||||
GET / HTTP/1.1
|
cors_origin:
|
||||||
Host: {{Hostname}}
|
- "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain
|
||||||
Origin: {{randstr}}.tld
|
- "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||||
|
- "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||||
- |
|
- "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||||
GET / HTTP/1.1
|
- "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||||
Host: {{Hostname}}
|
- "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||||
Origin: null
|
- "null" # null origin
|
||||||
|
- "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain
|
||||||
# TODO's for future as currently {{Hostname}} is not supported in matchers
|
- "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http
|
||||||
# Origin: {{randstr}}.{{Hostname}}
|
|
||||||
# Origin: {{Hostname}}.{{randstr}}.tld
|
|
||||||
# Origin: {{Hostname}}{{randstr}}.tld
|
|
||||||
# Origin: {{Hostname}}_.{{randstr}}.tld
|
|
||||||
# Origin: {{Hostname}}%60.{{randstr}}.tld
|
|
||||||
# Origin: http://{{Hostname}}
|
|
||||||
# Origin: http://{{randstr}}.{{Hostname}}
|
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
matchers-condition: or
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
name: arbitrary-origin
|
name: arbitrary-origin
|
||||||
dsl:
|
dsl:
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')"
|
- "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')"
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: dsl
|
|
||||||
name: null-origin
|
|
||||||
dsl:
|
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-origin: null')"
|
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: dsl
|
|
||||||
name: wildcard-acac
|
|
||||||
dsl:
|
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
|
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: dsl
|
|
||||||
name: wildcard-no-acac
|
|
||||||
dsl:
|
|
||||||
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
|
|
||||||
- "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
|
||||||
condition: and
|
|
Loading…
Reference in New Issue