id: cors-misconfig

info:
  name: CORS Misconfiguration
  author: nadino,g4l1t0,convisoappsec,pdteam,breno_css
  severity: info
  reference:
    - https://portswigger.net/web-security/cors
    - https://www.corben.io/advanced-cors-techniques/
    - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
  tags: cors,generic,misconfig

requests:
  - raw:
      - |
        GET  HTTP/1.1
        Host: {{Hostname}}
        Origin: {{cors_origin}}

    payloads:
      cors_origin:
        - "https://{{tolower(rand_base(5))}}{{RDN}}"     # Arbitrary domain
        - "https://{{tolower(rand_base(5))}}.com"             # Arbitrary domain
        - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com"     # Arbitrary domain
        - "https://{{FQDN}}{{tolower(rand_base(5))}}.com"      # Arbitrary domain
        - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com"    # Arbitrary domain
        - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com"  # Arbitrary domain
        - "null"                                              # null origin
        - "https://{{tolower(rand_base(5))}}.{{RDN}}"         # Arbitrary subdomain
        - "http://{{tolower(rand_base(5))}}.{{RDN}}"          # Arbitrary subdomain over http

    stop-at-first-match: true
    matchers:
      - type: dsl
        name: arbitrary-origin
        dsl:
          - "contains(tolower(all_headers), 'access-control-allow-origin: {{cors_origin}}')"
          - "contains(tolower(all_headers), 'access-control-allow-credentials: true')"
        condition: and