45 lines
1.9 KiB
YAML
45 lines
1.9 KiB
YAML
id: cors-misconfig
|
|
|
|
info:
|
|
name: CORS Misconfiguration
|
|
author: nadino,g4l1t0,convisoappsec,pdteam,breno_css,nodauf
|
|
severity: info
|
|
reference:
|
|
- https://portswigger.net/web-security/cors
|
|
- https://www.corben.io/advanced-cors-techniques/
|
|
- https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/
|
|
metadata:
|
|
max-request: 11
|
|
tags: cors,generic,misconfig
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{cors_origin}}
|
|
|
|
payloads:
|
|
cors_origin:
|
|
- "https://{{tolower(rand_base(5))}}{{RDN}}" # Arbitrary domain
|
|
- "https://{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
|
- "https://{{FQDN}}.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
|
- "https://{{FQDN}}{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
|
- "https://{{FQDN}}_.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
|
- "https://{{FQDN}}%60.{{tolower(rand_base(5))}}.com" # Arbitrary domain
|
|
- "null" # null origin
|
|
- "https://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain
|
|
- "http://{{tolower(rand_base(5))}}.{{RDN}}" # Arbitrary subdomain over http
|
|
- "https://{{replace(FQDN,'.','a')}}" # Replace . by a random character to abuse if regex is used
|
|
- "http://{{replace(FQDN,'.','a')}}" # Replace . by a random character to abuse if regex is used
|
|
stop-at-first-match: true
|
|
matchers:
|
|
- type: dsl
|
|
name: arbitrary-origin
|
|
dsl:
|
|
- "contains(tolower(header), 'access-control-allow-origin: {{cors_origin}}')"
|
|
- "contains(tolower(header), 'access-control-allow-credentials: true')"
|
|
condition: and
|
|
|
|
# digest: 4a0a0047304502206b1f7d2d431f28b64dfa6b919cf7f12dcaf7c318522caf013e28de52a6a50a96022100baf749a65dd2856645045362bfeb3f53149690c3ceb2f1e23e1c123298dac19c:922c64590222798bb761d5b6d8e72950
|