Skip to content

omranisecurity/CorsOne

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CorsOne.py
CorsOne.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CorsOne

Fast CORS Misconfiguration Discovery Tool.

FeaturesInstallUsageExamples

CorsOne CorsOne is a tool designed to quickly and easily detect CORS misconfiguration, compensating for the shortcomings of other tools and providing automatic testing for all relevant cases.

Features

  • Accurate and fast diagnosis of CORS Misconfiguration vulnerability
  • STDIN support enables easy integration with other tools or your own methodology

Install

  • Create a Virtual Environment
python3 -m venv env-corsone
  • Activate the Virtual Environment

On macOS/Linux:

source env-corsone/bin/activate

On Windows:

env-corsone\Scripts\activate
  • Clone the Repository:
git clone https://github.com/omranisecurity/CorsOne.git
cd CorsOne
python3 -m pip install -r requirements.txt
  • Exit the Virtual Environment (when done):
deactivate

Usage

python3 CorsOne [-h] [-u URL] [-l LIST] [-sof] [-ch CUSTOM_HEADERS] [-rl RATE_LIMIT] [-m {GET,POST}] [-p PROXY] [-s] [-v] [-nc] [-o OUTPUT]

This will display help for the tool. Here are all the switches it supports.

Usage:
  python3 CorsOne.py [flags]

Flags:
INPUT:
  -u, --url                  input target url to probe
  -l, --list                 input file list of URLs

Config:
  -sof,  --stop-on-first     stop testing after finding the first vulnerability
  -ch, --custom-headers      custom header to include in all http request in header:value format. -ch "header1: value1\nheader2: value2"
  -rl,  --rate-limit         maximum requests to send per second
  -m, --method               HTTP method for the request
  -p,  --proxy               SOCKS Proxy to use (eg -p "socks5://127.0.0.1:6060")

OUTPUT:
  -o, --output string        file to write output to

DEBUG:
  -s, --silent               show only result in output
  -v, --version              show version of CorsOne
  -nc, --no-color            disable color in output

Examples

  • To check CORS misconfigurations for a specific domain:

python3 CorsOne.py -u https://example.com/

  • To check CORS misconfigurations for a list of domains:

cat urls.txt | python3 CorsOne.py

or

python3 CorsOne.py -l list.txt

  • Stop after finding the first CORS vulnerability:

python3 CorsOne.py -u https://example.com/ -sof

  • Check CORS misconfigurations with custom headers:

python3 CorsOne.py -u https://example.com/ -ch "Cookie: name=value;\nAccept-Encoding: gzip, deflate, br"

  • Check CORS misconfigurations with rate limit:

python3 CorsOne.py -u https://example.com/ -rl 5

  • Check CORS misconfigurations with a custom HTTP method (default GET):

python3 CorsOne.py -u https://example.com/ -m POST

  • Check CORS misconfigurations using a proxy:

python3 CorsOne.py -u https://example.com/ -p "socks5://ip:port/"

  • Save scan results to a file using -o:

python3 CorsOne.py -u https://example.com/ -o output_filename.txt

Acknowledgment

About

CorsOne - CORS Misconfiguration Discovery Tool

Topics

python penetration-testing bugbounty bugbounty-tool cors-misconfiguration

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

16 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases 3

CorsOne v0.9.5 Latest
Sep 3, 2024
+ 2 releases

Contributors 2

  •  
  •  

Languages