CORS misconfig improvements (#3988)
* CORS misconfig improvements * more updates * Update cors-misconfig.yaml * misc updatepatch-1
parent
f408247e8e
commit
f95e43a5af
|
@ -1,63 +1,40 @@
|
|||
id: cors-misconfig
|
||||
|
||||
info:
|
||||
name: Basic CORS misconfiguration
|
||||
author: nadino,G4L1T0,convisoappsec,pdteam
|
||||
name: CORS Misconfiguration
|
||||
author: nadino,g4l1t0,convisoappsec,pdteam,breno_css
|
||||
severity: info
|
||||
reference: https://portswigger.net/web-security/cors
|
||||
tags: cors,generic
|
||||
reference:
|
||||
- https://portswigger.net/web-security/cors
|
||||
- https://www.corben.io/advanced-cors-techniques/
|
||||
- https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
|
||||
tags: cors,generic,misconfig
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{cors_origin}}
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{randstr}}.tld
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: null
|
||||
|
||||
# TODO's for future as currently {{Hostname}} is not supported in matchers
|
||||
# Origin: {{randstr}}.{{Hostname}}
|
||||
# Origin: {{Hostname}}.{{randstr}}.tld
|
||||
# Origin: {{Hostname}}{{randstr}}.tld
|
||||
# Origin: {{Hostname}}_.{{randstr}}.tld
|
||||
# Origin: {{Hostname}}%60.{{randstr}}.tld
|
||||
# Origin: http://{{Hostname}}
|
||||
# Origin: http://{{randstr}}.{{Hostname}}
|
||||
payloads:
|
||||
cors_origin:
|
||||
- "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain
|
||||
- "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||
- "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||
- "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||
- "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||
- "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
||||
- "null" # null origin
|
||||
- "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain
|
||||
- "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: dsl
|
||||
name: arbitrary-origin
|
||||
dsl:
|
||||
- "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.tld')"
|
||||
- "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')"
|
||||
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
name: null-origin
|
||||
dsl:
|
||||
- "contains(tolower(all_headers), 'access-control-allow-origin: null')"
|
||||
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
name: wildcard-acac
|
||||
dsl:
|
||||
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
|
||||
- "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
||||
condition: and
|
||||
|
||||
- type: dsl
|
||||
name: wildcard-no-acac
|
||||
dsl:
|
||||
- "contains(tolower(all_headers), 'access-control-allow-origin: *')"
|
||||
- "!contains(tolower(all_headers), 'access-control-allow-credentials: true')"
|
||||
condition: and
|
||||
|
|
Loading…
Reference in New Issue