id: cors-misconfig info: name: CORS Misconfiguration author: nadino,g4l1t0,convisoappsec,pdteam,breno_css,nodauf severity: info reference: - https://portswigger.net/web-security/cors - https://www.corben.io/advanced-cors-techniques/ - https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/ tags: cors,generic,misconfig metadata: max-request: 11 http: - raw: - | GET HTTP/1.1 Host: {{Hostname}} Origin: {{cors_origin}} payloads: cors_origin: - "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain - "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain - "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain - "null" # null origin - "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain - "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http - "https://{{replace(FQDN,'.','a')}}" # Replace . by a random character to abuse if regex is used - "http://{{replace(FQDN,'.','a')}}" # Replace . by a random character to abuse if regex is used stop-at-first-match: true matchers: - type: dsl name: arbitrary-origin dsl: - "contains(tolower(header), 'access-control-allow-origin: {{cors_origin}}')" - "contains(tolower(header), 'access-control-allow-credentials: true')" condition: and