id: cors-misconfig info: name: Basic CORS misconfiguration author: nadino,G4L1T0,convisoappsec,pdteam severity: info reference: https://portswigger.net/web-security/cors tags: cors,generic requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | GET / HTTP/1.1 Host: {{Hostname}} Origin: {{randstr}}.com - | GET / HTTP/1.1 Host: {{Hostname}} Origin: null # - | # GET / HTTP/1.1 # Host: {{Hostname}} # Origin: {{randstr}}.{{Hostname}} # # - | # GET / HTTP/1.1 # Host: {{Hostname}} # Origin: {{Hostname}}{{randstr}} # TO DO for future as currently {{Hostname}} is not supported in matchers matchers-condition: or matchers: - type: dsl name: arbitrary-origin dsl: - "contains(tolower(all_headers), 'access-control-allow-origin: {{randstr}}.com')" - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" condition: and - type: dsl name: null-origin dsl: - "contains(tolower(all_headers), 'access-control-allow-origin: null')" - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" condition: and - type: dsl name: wildcard-acac dsl: - "contains(tolower(all_headers), 'access-control-allow-origin: *')" - "contains(tolower(all_headers), 'access-control-allow-credentials: true')" condition: and - type: dsl name: wildcard-no-acac dsl: - "contains(tolower(all_headers), 'access-control-allow-origin: *')" - "!contains(tolower(all_headers), 'access-control-allow-credentials: true')" condition: and