RUB-NDS/CORStest RUB-NDS/CORStest

  • Stars
    star
    387
  • Rank 110,220 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 7 years ago
  • Updated about 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RUB-NDS/CORStest
github

RUB-NDS

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple CORS misconfiguration scanner

CORStest

A simple CORS misconfiguration scanner

Based on the research of James Kettle

CORStest is a quick & dirty Python 3 tool to find Cross-Origin Resource Sharing (CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain Origin request header and checking for the Access-Control-Allow-Origin response header:

  • Developer backdoor: Insecure dev origins like JSFiddle or CodePen are allowed to access this resource
  • Origin reflection: The origin is simply echoed in ACAO header, any site is allowed to access this resource
  • Null misconfiguration: Any site is allowed to access by forcing the null origin via a sandboxed iframe
  • Pre-domain wildcard: notdomain.com is allowed access, which can simply be registered by an attacker
  • Post-domain wildcard: domain.com.evil.com is allowed access, which can be registered by an attacker
  • Subdomains allowed: sub.domain.com allowed access, exploitable if attacker finds XSS in any subdomain
  • Non-ssl sites allowed: A http origin is allowed access to a https resource, allows MitM to break encryption
  • Invalid CORS header: Wrong use of wildcard or multiple origins, not a security problem but should be fixed

Note that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the Access-Control-Allow-Credentials header is present (see -q flag).

Usage

usage: corstest.py [arguments] infile

positional arguments:
  infile         File with domain or URL list

optional arguments:
  -h, --help     show this help message and exit
  -c name=value  Send cookie with all requests
  -p processes   multiprocessing (default: 32)
  -s             always force ssl/tls requests
  -q             quiet, allow-credentials only
  -v             produce a more verbose output

Example

Use of CORStest to detect misconfigurations for the Alexa top 750 sites (with Access-Control-Allow-Credentials):

CORStest example with Alexa top 750 websites

Evaluation

Running this CORStest on the Alexa top 1 million sites reveals the following results:

CORStest example with Alexa top 1,000,000 sites

Note that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to -p50 or more.

Background

Read more on the technical backgorund of CORS misconfigurations in this fine blogpost or check out this talk. A large scale evaluation of CORS misconfigurations using CORStest is documented here.

More Repositories

1

PRET

Printer Exploitation Toolkit - The tool that made dumpster diving obsolete.
Python
3,821
star
2

Terrapin-Scanner

This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
Go
887
star
3

WS-Attacker

WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (https://nds.rub.de/ ) and the Hackmanit GmbH (https://www.hackmanit.de/).
Java
469
star
4

Metadata-Attacker

A tool to generate media files with malicious metadata
PHP
124
star
5

BurpSSOExtension

An extension for BurpSuite that highlights SSO messages in Burp's proxy window..
Java
115
star
6

PDF101

Artifacts for the Black Hat talk.
Python
97
star
7

REST-Attacker

REST-Attacker is designed as a proof-of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research.
Python
78
star
8

xsinator.com

XS-Leak Browser Test Suite
JavaScript
68
star
9

alpaca-code

Artifacts to the ALPACA attack.
C
60
star
10

DTD-Attacks

Tests for different parsers from Ruby, Python, .NET, PHP, Perl, Java
Java
57
star
11

Johnny-You-Are-Fired

Artifacts for the USENIX publication.
57
star
12

MS-RMS-Attacks

Breaking the security of Microsoft's RMS
C++
51
star
13

Terrapin-Artifacts

This repository contains the artifacts for the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
Python
46
star
14

JOSEPH

Java
32
star
15

OpenID-Attacker

Java
28
star
16

PrOfESSOS

PrOfESSOS is our open source implementation for fully automated Evaluation-as-a-Service for SSO. PrOfESSOS introduces a generic approach to improve the security of OpenID Connect implementations by systematically detecting vulnerabilities.
Java
27
star
17

pdf-attacker

Python
22
star
18

SAML-XXE-Test

Simple XXE test suite generated specifically for SAML interfaces
Python
21
star
19

thesis_layout

Latex template for students writing a bachelor or master thesis
TeX
18
star
20

ikev1-psk-main-mode-dict-attacker

Proof-of-Concept Dictionary Attacker against IKEv1 PSK in Main Mode
Python
16
star
21

SocketProxy

Simple proxy designed to intercept and modify connections on the transport level. This means you can also modify TLS raw bytes.
Java
16
star
22

Office-Security

Artifacts for the WOOT publication.
HTML
14
star
23

FutureTrust

FutureTrust analyzes electronic identification (eID) services in Europe and beyond. It is funded within the EU Framework Programme for Research and Innovation (Horizon 2020).
Java
11
star
24

DISTINCT

Dynamic In-Browser Single Sign-On Tracer Inspecting Novel Communication Techniques
JavaScript
10
star
25

OOXML_Signature_Security

USENIX 2023 Artifacts
10
star
26

AutoLeak

Find XS-Leaks in the browser by diffing DOM-Graphs in two states
JavaScript
10
star
27

your-sop.com

PHP
9
star
28

SOAP-Test-Webservices

SOAP webservices of different SOAP frameworks including samples for WS-Security.
Java
8
star
29

Covert-Content-Attacks

Artifacts for the DEF CON talk.
6
star
30

exposee_layout

Latex template for students writing an exposé for a seminar or thesis
TeX
6
star
31

WS-TLS-Scanner

The TLS-Scanner for the SIWECOS Project
Java
6
star
32

CVE-2020-2655-DemoServer

Java
5
star
33

SECRET

A Secure, Efficient, and Collaborative Real-Time Web Editor
CoffeeScript
5
star
34

Gridcoin-Attacks

The source code of our attacking tool described in the paper "Breaking and Fixing Gridcoin" published at WOOT'17, see also:
C++
5
star
35

JavaCryptoExamples

Examples for using Java Crypto
Java
4
star
36

Terrapin-Website

This repository hosts the public website for the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation" via GitHub Pages.
HTML
4
star
37

RKE

Implementation of ratcheted key exchange protocol (Poettering and Rösler, CRYPTO 2018, https://ia.cr/2018/296) by Marco Smeets
Java
4
star
38

WS-Attacker-Plugin_Denial_of_Service

Denial_of_Service - A git submodule for WS-Attacker
Java
3
star
39

SyncEnc-Keyserver

A Key Management Server for SyncEnc
JavaScript
2
star
40

WS-Attacker-Library_Intelligent_Denial_of_Service_Library

Intelligent_Denial_of_Service_Library - A git submodule for WS-Attacker
Java
2
star
41

PDF-Tester

PDF Tester can be used to evaluate the signature status of a PDF document under different PDF applications.
C#
2
star
42

JsseTLS

Java
2
star
43

BouncyCastleTLS

BouncyCastle TLS examples
Java
2
star
44

WS-Attacker-Library_Signature_Faking_Library

Signature_Faking_Library - A git submodule for WS-Attacker
Java
1
star
45

alpaca-attack

HTML
1
star
46

AKE-Cryptoverif-Tutorial

HTML
1
star
47

Mitigation-of-Attacks-on-Email-E2E-Encryption

Research Artifacts for the Publication "Mitigation of Attacks on Email End-to-End Encryption"
Python
1
star
48

IPsec-StateMachineExtractor

Extract the state machine of an IKEv1/IKEv2 implementation
Java
1
star
49

SyncEnc-App

Java
1
star
50

WS-Attacker-Library_XML_Encryption_Attack_Library

XML_Encryption_Attack_Library - A git submodule for WS-Attacker
Java
1
star
51

Single-Sign-On-Libraries

Java
1
star
52

ShareJSXML

Library to allow concurrent editing of XML documents using Operational Transforms based on ShareJS 0.6
CoffeeScript
1
star
53

SyncEnc-Demonstrator

A Demonstrator for Collaborative Encrypted Editing
JavaScript
1
star
54

WS-Attacker-Plugin_SoapAction_Spoofing

SoapAction_Spoofing - A git submodule for WS-Attacker
Java
1
star
55

WS-Attacker-Plugin_Signature_Wrapping

Signature_Wrapping - A git submodule for WS-Attacker
Java
1
star
56

WS-Attacker-Plugin_XML_Encryption_Attack

XML_Encryption_Attack - A git submodule for WS-Attacker
Java
1
star
57

WS-Attacker-Plugin_Intelligent_Denial_of_Service

Intelligent_Denial_of_Service - A git submodule for WS-Attacker
Java
1
star
58

XMLSec-WebCrypto

An implementation for the XML Security Standard using the W3C WebCrypto API
CoffeeScript
1
star
59

oidc-docker-libs

Python
1
star
60

medfuzz

Fuzzing plattform for medical protocols
C++
1
star
61

DocumentSignatureValidator

Automation tool for evaluating the signature status of office documents
C++
1
star
62

WS-Attacker-Library_SoapHttpClient

SoapHttpClient - A git submodule for WS-Attacker
Java
1
star
63

WS-Attacker-Library_Signature_Wrapping

Signature_Wrapping_Library - A git submodule for WS-Attacker
Java
1
star
64

WS-Attacker-Plugin_WS_Addressing_Spoofing

WS_Addressing_Spoofing - A git submodule for WS-Attacker
Java
1
star
65

WS-Attacker-Library_XML_Utilities

WS-Attacker-Library_XML-Utilities- A git submodule for WS-Attacker
Java
1
star
66

WS-Attacker-Plugin_OptionsTesterPlugin

OptionsTesterPlugin - A git submodule for WS-Attacker
Java
1
star
67

WS-Attacker-Library_Schema_Analyzer

Schema_Analyzer_Library - A git submodule for WS-Attacker
Java
1
star