Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
Requirements
Corsy only works with
Python 3 and has the following depencies:tldrequests
pip3 install -r requirements.txtUsage
Using Corsy is pretty simple
python3 corsy.py -u https://example.comScan URLs from a file
python3 corsy.py -i /path/urls.txtNumber of threads
python3 corsy.py -u https://example.com -t 20Delay between requests
python3 corsy.py -u https://example.com -d 2Export results to JSON
python3 corsy.py -i /path/urls.txt -o /path/output.jsonCustom HTTP headers
python3 corsy.py -u https://example.com --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"Skip printing tips
-q can be used to skip printing of description, severity, exploitation fields in the output.Tests implemented
- Pre-domain bypass
- Post-domain bypass
- Backtick bypass
- Null origin bypass
- Unescaped dot bypass
- Invalid value
- Wild card value
- Origin reflection test
- Third party allowance test
- HTTP allowance test
Tags
CORS
CORS Misconfiguration Scanner
CORS Scanner
Corsy
Exploitation
Misconfiguration
Python
Scans
SQL Vulnerability Scanner