loading
loading
Vulnerabilities
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
overview
corstest checks how a site responds to cross-origin requests and flags configurations that let the wrong origins read responses. CORS controls which other sites a browser permits to read a target's data, and a loose policy, reflecting any origin or trusting null, can expose authenticated data to an attacker's page. corstest sends crafted Origin headers and reads the access-control responses to find those mistakes.
It is built for breadth. Feed it a file of URLs or domains and it tests each one, running many checks in parallel. Quiet mode narrows output to the high-value case where credentials are allowed alongside a permissive origin, and a cookie option lets it test endpoints that only misbehave for an authenticated session.
In a Trickest workflow it takes a file of URLs and writes a file and a folder of results. Run it across endpoints a crawler or prober surfaced, and treat any host that reflects an arbitrary origin with credentials as a finding worth manual confirmation.
source github.com/RUB-NDS/CORStest
use cases
Send crafted Origin headers across a URL list to find hosts that reflect arbitrary origins or trust null, leaking cross-origin data.
Use quiet mode to surface only endpoints that allow credentials with a permissive origin, the combination that exposes data.
Send a session cookie with every request so corstest catches misconfigurations that only appear for logged-in users.
Pass a file of URLs and raise the process count so a single run checks CORS across a wide surface in parallel.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| infile | FILE | · | URLs/domains to scan |
| quiet | BOOLEAN | -q | quiet, allow-credentials only |
| cookies | STRING | -c | Send cookie with all requests (name=value) |
| processes | STRING | -p | multiprocessing (default: 32) |
| verbose | BOOLEAN | -v | produce a more verbose output |
Showing key inputs. corstest exposes 5 inputs in total.
example
# quiet CORS check across a URL list, 32 workerscorstest.py -q -p 32 urls.txt # authenticated sweep with a session cookiecorstest.py -c 'session=abc123' -v urls.txt[*] https://example.com/ (reflect)[*] https://api.example.com/v1/me (reflect+creds)[*] https://app.example.com/profile (null origin)[*] https://staging.example.com/ (reflect)[*] https://example.com/api/user (reflect+creds)[*] https://www.example.com/account (null origin)[*] https://cdn.example.com/ (no CORS)guidance
Use CORStest when you have a set of URLs and want to know which expose data through a loose CORS policy. It tests CORS specifically, so for broad web checks pair it with a scanner like nuclei. Feed it endpoints a crawler or prober already surfaced.
Another CORS misconfiguration scanner. CORStest is multiprocessed and built around a URL file.
Has CORS templates among broad coverage. CORStest is the focused, parallel checker.
Probes hosts and emits live URLs. Run it first, then feed CORStest the responding endpoints.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
Accurately fingerprint and detect Netscaler and Citrix ADC versions vulnerable to CVE-2023-3519.
A URL list is probed by httpx, then CORStest checks the live endpoints for CORS misconfigurations and writes the findings as output.
Facts on this page come from the live Trickest tool library.