Play with permissive CORS24 Dec 2017
While i was playing with a ‘code search engine’ tool called publicwww, i decided to gather some top Alexa domains and to look for some permissive CORS. I tried the following researches,
site:fr "type=\"password\"", the same for the TLDs .org and .com, in order to spot webpages with a login form, meaning authenticated users..
I will let you play with publicwww, remember that you are limited with basic access but if you pay you will have access to the top 200000 Alexa websites dealing with your request. May be you also wanna play with Shodan or Censys.
Automate permissive CORS detection
We already talked about Cross Origin Ressource Sharing in some previous posts. You also have a great explanation about the Same Origin Policy on mozilla.org. A website with permissive CORS will allow an attacker to perform any requests to this website from another ressource and this request can include the victim’s cookies (xhr.withCredentials = true).
So if the cookie’s session is reflected, you will be able to steal it and forge the victim’s session. You will be able to change the victim’s password if the former one is not requested, read some sensitive account information, …. Remember that because now you can READ the response, you also can read the CSRF token and bypass the protection.
So once i gathered enough interesting domains and urls from OSINT tools, and got a bunch of ones dealing with bug some bounty programs, i decided to be original and to create a tool called cors.py (DEPRECATED right now, check below).
This tool reads a list of domains and/or urls and will HTTP request them, adding the Origin header of your choice, example:
It will finally detects a permissive cors if the response header Access-Control-Allow-Origin is set to null or if the origin header’s value is reflected, and if the response header Access-Control-Allow-Credentials is set to true (permissive CORS is relevant only if you can read from request including victim’s cookies). You also can detect some strings in the response headers (see config.json) and configure other parameters like the number of threads, the user agent, the response timeout, and so on.
$ ./cors.py -h
usage: cors.py [-h] [-f URLSFILE] [-r]
Looking for some permissive CORS
-h, --help show this help message and exit
-f URLSFILE, --file URLSFILE
file with urls
-r, --redirect allow redirect in requests
Example of output:
$ ./cors.py -f /tmp/sitecomtypepassword.txt
Processing 230 lines
Launching 20 threads
open cors found for url http://asiaroom.com/
open cors found for url http://aksekiyapi.com/
open cors found for url http://baseshare.com/
open cors found for url http://fitwall.com/
open cors found for url http://h10.edmarkreadingonline.com/
open cors found for url http://ermresearch.com/
open cors found for url http://ellysdirectory.com/
UPDATE 01/07/2020:I’m strongly suggesting right now to use this complete tool of which i merged most of CORS detecting features: https://github.com/chenjj/CORScanner.
This tool gathers everything you need to detect an exploitable CORS misconfiguration :
|Blindly reflect the Origin header value in
Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests.
example.com.evil.com, which is an attacker’s domain.
evilexample.com, which could be registered by an attacker.
wwwaexample.com, which could be registered by an attacker.
example.co, which could be registered by an attacker.
null, which can be forged by iframe sandbox scripts
|Risky trust dependency, a MITM attacker may steal HTTPS site secrets
|Risky trust dependency, a subdomain XSS may steal its secrets
|Custom unsafe third parties origins like
github.io, see more in origins.json file. Thanks @phackt!
|Exploiting browsers’ handling of special characters. Most can only work in Safari except
_, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.