Tool that finds CORS misconfigurations.
go install github.com/wfinn/ucors@latest
$ echo https://target.tld/endpoint | ucors
$ cat urls.txt | ucors -c session=xyz123
Url: https://target.tld/endpoint Origin: null ACAC: true
...Many bypasses only work in Safari.
- usual reflection e.g. http(s)://evil.com
- https://target.tld.evil.com
- https://target.tldevil.com
- null (sandboxed iframes can have origin null)
- unescaped dots in regexes e.g. https://wwwxtarget.tld
- different TLDs e.g. https://target.wtf
- unexpected chars in subdomains https://target.tld&.evil.com
- Bonus check: xss on subdomains https://any.target.tld
Create a list of urls to check, (grab a valid session cookie) and start ucors to find some bypasses.
Ideally you prepare a list of all endpoints returning interesting data.
Below is an example output, you see the url, the payload that worked and if cookies are allowed
$ cat urls.txt | ucors -c session=xyz123
Url: https://target.tld/profile/private-data.json Origin: https://subdomain.target.tld&evil.com ACAC: true
Url: https://sub.target.tld/getSensitiveInfo Origin: null ACAC: true
...- -p to only print the generated bypasses and not make any requests
- -d evil.com to set the attacker domain
- -s to skip the url after finding a bypass
- -c abc=XYZ to set cookies
- -a "Bearer: abcXYZ" to set the Authorization header
This is based on @tomnomnom's cors-blimey.