id: cors-misconfig info: name: CORS Misconfiguration author: nadino,g4l1t0,convisoappsec,pdteam,breno_css,nodauf severity: info reference: - https://portswigger.net/web-security/cors - https://www.corben.io/advanced-cors-techniques/ - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/ metadata: max-request: 11 tags: cors,generic,misconfig http: - raw: - | GET HTTP/1.1 Host: {{Hostname}} Origin: {{cors_origin}} payloads: cors_origin: - "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain - "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain - "null" # null origin - "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain - "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http - "https://{{replace(FQDN,'.','a')}}" # Replace . by a random character to abuse if regex is used - "http://{{replace(FQDN,'.','a')}}" # Replace . by a random character to abuse if regex is used stop-at-first-match: true matchers: - type: dsl name: arbitrary-origin dsl: - "contains(tolower(header), 'access-control-allow-origin: {{cors_origin}}')" - "contains(tolower(header), 'access-control-allow-credentials: true')" condition: and # digest: 4a0a0047304502206b1f7d2d431f28b64dfa6b919cf7f12dcaf7c318522caf013e28de52a6a50a96022100baf749a65dd2856645045362bfeb3f53149690c3ceb2f1e23e1c123298dac19c:922c64590222798bb761d5b6d8e72950