Skip to content

omranisecurity/CorsOne

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CorsOne.py

CorsOne.py

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

CorsOne

Fast CORS Misconfiguration Discovery Tool.

FeaturesInstallUsageExamples

CorsOne CorsOne is a tool designed to quickly and easily detect CORS misconfiguration, compensating for the shortcomings of other tools and providing automatic testing for all relevant cases.

Features

  • Accurate and fast diagnosis of CORS Misconfiguration vulnerability
  • STDIN support enables easy integration with other tools or your own methodology

Install

CorsOne requires Python v3 to install successfully.

git clone https://github.com/omranisecurity/CorsOne.git
cd CorsOne
python3 -m pip install -r requirements.txt

Usage

python3 CorsOne [-h] [-u URL] [-l LIST] [-ch CUSTOM_HEADERS] [-rl RATE_LIMIT] [-m {GET,POST}] [-p PROXY] [-s] [-v] [-nc] [-o OUTPUT]

This will display help for the tool. Here are all the switches it supports.

Usage:
  python3 CorsOne.py [flags]

Flags:
INPUT:
  -u, --url                  input target url to probe
  -l, --list                 input file list of URLs
Config:
  -ch, --custom-headers      custom header to include in all http request in header:value format. -ch "header1: value1\nheader2: value2"
  -rl,  --rate-limit         maximum requests to send per second
  -m, --method               HTTP method for the request
  -p,  --proxy               SOCKS and HTTP Proxy to use (eg -p "http://127.0.0.1:8080" or -p "proxylist.txt")

OUTPUT:
  -o, --output string        file to write output to

DEBUG:
  -s, --silent               show only result in output
  -v, --version              show version of CorsOne
  -nc, --no-color            disable color in output

Examples

  • To check CORS misconfigurations for a specific domain:

python3 CorsOne.py -u https://example.com/

  • To check CORS misconfigurations for a list of domains:

cat urls.txt | python3 CorsOne.py

or

python3 CorsOne.py -l list.txt

  • Check CORS misconfigurations with custom headers:

python3 CorsOne.py -u https://example.com/ -ch "Cookie: name=value;\nAccept-Encoding: gzip, deflate, br"

  • Check CORS misconfigurations with rate limit:

python3 CorsOne.py -u https://example.com/ -rl 5

  • Check CORS misconfigurations with a custom HTTP method (default GET):

python3 CorsOne.py -u https://example.com/ -m POST

  • Check CORS misconfigurations using a proxy:

python3 CorsOne.py -u https://example.com/ -p "https://ip:port/"

or

python3 CorsOne.py -u https://example.com/ -p "socks4://ip:port/"

python3 CorsOne.py -u https://example.com/ -p "socks5://ip:port/"

  • Check CORS misconfigurations using a proxy list:

python3 CorsOne.py -u https://example.com/ -p proxylist.txt

  • Save scan results to a file using -o:

python3 CorsOne.py -u https://example.com/ -o output_filename.txt

Acknowledgment

About

CorsOne - CORS Misconfiguration Discovery Tool

Topics

cors-misconfiguration

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

11 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

2 tags

Languages