CORS

What is CORS (cross-origin resource sharing)? Tutorial & Examples | Web Security AcademyWebSecAcademy

CORS Misconfiguration

Scanner

GitHub - chenjj/CORScanner: Fast CORS misconfiguration vulnerabilities scanner🍻GitHub

Nuclei template

https://github.com/coffinxp/priv8-Nuclei/blob/main/cors.yaml

id: cors-misconfig
info:
  name: CORS Misconfiguration
  author: coffin
  severity: high
  tags: cors,generic,misconfig

http:
  - raw:
      - |
        GET  HTTP/1.1
        Host: {{Hostname}}
        Origin: {{cors_origin}}

    payloads:
      cors_origin:
        - "https://{{tolower(rand_base(5))}}.{{RDN}}" # Find domain in RDN with Misconfiguration
    stop-at-first-match: true
    matchers:
      - type: dsl
        name: arbitrary-origin
        dsl:
          - "contains(tolower(header), 'access-control-allow-origin: {{cors_origin}}')"
          - "contains(tolower(header), 'access-control-allow-credentials: true')"
        condition: and

corsExploit/cors.yaml at main · coffinxp/corsExploitGitHub

Burp Extension

CORS*, Additional CORS Checks

To use this extension, simply click on the “Activate CORS* checkbox” and browse your target to let the extension do its magic. It will attempt different CORS bypass techniques for all requests passing through your Burp proxy. All you need to do is to check the results.

URL Validation Bypass

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy