Skip to content

s0md3v/Corsy

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 4 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
core
Fix "root" where "scheme" was intended
November 14, 2021 00:15
db
added underscore bypass
January 28, 2021 16:21
CHANGELOG.md
changelog for 0.2-beta
November 25, 2019 14:31
LICENSE
Initial commit
November 24, 2019 21:09
README.md
it's requests, not request
January 28, 2021 17:00
corsy.py
Merge branch 'master' into master
January 28, 2021 16:50
requirements.txt
removed tld dependency
January 28, 2021 16:15
Corsy CORS Misconfiguration Scanner Introduction Requirements Usage Scan URLs from a file Scan URLs from stdin Number of threads Delay between requests Export results to JSON Custom HTTP headers Skip printing tips Tests implemented

README.md


Corsy
Corsy

CORS Misconfiguration Scanner

Introduction

Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.

demo

Requirements

Corsy only works with Python 3 and has just one dependency:

  • requests

To install this dependency, navigate to Corsy directory and execute pip3 install requests

Usage

Using Corsy is pretty simple

python3 corsy.py -u https://example.com

Scan URLs from a file

python3 corsy.py -i /path/urls.txt

Scan URLs from stdin

cat urls.txt | python3 corsy.py

Number of threads

python3 corsy.py -u https://example.com -t 20

Delay between requests

python3 corsy.py -u https://example.com -d 2

Export results to JSON

python3 corsy.py -i /path/urls.txt -o /path/output.json

Custom HTTP headers

python3 corsy.py -u https://example.com --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"

Skip printing tips

-q can be used to skip printing of description, severity, exploitation fields in the output.

Tests implemented

  • Pre-domain bypass
  • Post-domain bypass
  • Backtick bypass
  • Null origin bypass
  • Unescaped dot bypass
  • Underscore bypass
  • Invalid value
  • Wild card value
  • Origin reflection test
  • Third party allowance test
  • HTTP allowance test

About

CORS Misconfiguration Scanner

Topics

cors vulnerability-scanner cors-scanner cors-misconfiguration-scanner

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1.2k stars

Watchers

31 watching

Forks

163 forks
Report repository

Releases 4

1.0-rc Latest
Jan 28, 2021
+ 3 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 6

Languages