Corsy

CORS Misconfiguration Scanner

Introduction

Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.

Requirements

Corsy only works with Python 3 and has the following depencies:

tld
requests

To install these dependencies, navigate to Corsy directory and execute pip3 install -r requirements.txt

Usage

Using Corsy is pretty simple

python3 corsy.py -u https://example.com

Scan URLs from a file

python3 corsy.py -i /path/urls.txt

Number of threads

python3 corsy.py -u https://example.com -t 20

Delay between requests

python3 corsy.py -u https://example.com -d 2

Export results to JSON

python3 corsy.py -i /path/urls.txt -o /path/output.json

Custom HTTP headers

python3 corsy.py -u https://example.com --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"

Skip printing tips

-q can be used to skip printing of description, severity, exploitation fields in the output.

Tests implemented

Pre-domain bypass
Post-domain bypass
Backtick bypass
Null origin bypass
Unescaped dot bypass
Invalid value
Wild card value
Origin reflection test
Third party allowance test
HTTP allowance test

Support the developer

Liked the project? Donate a few bucks to motivate me to keep writing code for free.

Name	Latest commit message	Commit time
Failed to load latest commit information.
core	minor ui changes	Jan 16, 2020
db	1.0-beta	Jan 16, 2020
CHANGELOG.md	changelog for 0.2-beta	Nov 25, 2019
LICENSE	Initial commit	Nov 24, 2019
README.md	updated screenshot	Jan 16, 2020
corsy.py	minor ui changes	Jan 16, 2020
requirements.txt	Create requirements.txt	Nov 24, 2019

s0md3v / Corsy

Join GitHub today

Clone with HTTPS

Downloading

Launching GitHub Desktop