CORS misconfig improvements (#3988)

* CORS misconfig improvements * more updates * Update cors-misconfig.yaml * misc update
2022-04-16 21:06:53 +05:30 · 2022-04-16 21:06:53 +05:30 · f95e43a5af
parent f408247e8e
commit f95e43a5af
1 changed files with 22 additions and 45 deletions
--- a/vulnerabilities/generic/cors-misconfig.yaml
+++ b/vulnerabilities/generic/cors-misconfig.yaml
@ -1,63 +1,40 @@
 id: cors-misconfig
 info:
-  name: Basic CORS misconfiguration
+  name: CORS Misconfiguration
-  author: nadino,G4L1T0,convisoappsec,pdteam
+  author: nadino,g4l1t0,convisoappsec,pdteam,breno_css
  severity: info
-  reference: https://portswigger.net/web-security/cors
+  reference:
-  tags: cors,generic
+    - https://portswigger.net/web-security/cors
    - https://www.corben.io/advanced-cors-techniques/
    - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
  tags: cors,generic,misconfig
 requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{cors_origin}}
-      - |
+    payloads:
-        GET / HTTP/1.1
+      cors_origin:
-        Host: {{Hostname}}
+        - "https://{{tolower(rand_base(5))}}{{RDN}}"     # Arbitrary domain
-        Origin: {{randstr}}.tld
+        - "https://{{tolower(rand_base(5))}}.com"             # Arbitrary domain
-
+        - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com"     # Arbitrary domain
-      - |
+        - "https://{{FQDN}}{{tolower(rand_base(5))}}.com"      # Arbitrary domain
-        GET / HTTP/1.1
+        - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com"    # Arbitrary domain
-        Host: {{Hostname}}
+        - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com"  # Arbitrary domain
-        Origin: null
+        - "null"                                              # null origin
-
+        - "https://{{tolower(rand_base(5))}}.{{RDN}}"         # Arbitrary subdomain
-#  TODO's for future as currently {{Hostname}} is not supported in matchers
+        - "http://{{tolower(rand_base(5))}}.{{RDN}}"          # Arbitrary subdomain over http
 #        Origin: {{randstr}}.{{Hostname}}
 #        Origin: {{Hostname}}.{{randstr}}.tld
 #        Origin: {{Hostname}}{{randstr}}.tld
 #        Origin: {{Hostname}}_.{{randstr}}.tld
 #        Origin: {{Hostname}}%60.{{randstr}}.tld
 #        Origin: http://{{Hostname}}
 #        Origin: http://{{randstr}}.{{Hostname}}
    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        name: arbitrary-origin
        dsl:
-          - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')"
+          - "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
-        condition: and
+        condition: and
      - type: dsl
        name: null-origin
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: null')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and
      - type: dsl
        name: wildcard-acac
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and
      - type: dsl
        name: wildcard-no-acac
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: *')"
          - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and