Skip to content

Latest commit

 

History

History
70 lines (57 loc) · 3.93 KB

README.md

File metadata and controls

70 lines (57 loc) · 3.93 KB
Raw
description
CWE-346: Origin Validation Error

CORS

What is CORS (cross-origin resource sharing)?

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain.

Misconfigured CORS

  • Use [CorsMe](<https://github.com/Shivangx01b/CorsMe>) to Check all urls cat http_https.txt | ./CorsMe -t 70
  • Origin:null
  • Origin:attacker.com
  • Origin:attacker.target.com
  • Origin:attackertarget.com
  • Origin:sub.attackertarget.com
  • Origin:attacker.com and then change the method Get to post/Post to Get
  • Origin:sub.attacker target.com
  • Origin:sub.attacker%target.com
  • Origin:attacker.com/target.com
  • Origin:expected-host.com.attacker.com
  • expected-host.computer
  • foo@evil-host:80@expected-host
  • foo@evil-host%20@expected-host
  • evil-host%09expected-host
  • 127.1.1.1:80\\\\@127.2.2.2:80
  • 127.1.1.1:80:\\\\@@127.2.2.2:80
  • 127.1.1.1:80#\\\\@127.2.2.2:80
  • ß.evil-host
  • Method 1 ( Single_target)
Step->1. Capture the target website and spider or crawl all the website using burp.
Step->2. Use burp search look for Access-Control
Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com
Step->4  If origin is reflected in response means the target is vuln to CORS
  • Method 2 (Multiple)
step 1-> find domains i.e subfinder -d target.com -o domains.txt
step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt
step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "<http://127.0.0.1:8080>" -sk 2>/dev/null
step 4-> Repeat hunting method 1

Reports