Bounty CORSare

Few days ago someone asked me about CORS-related vulnerabilities. I decided it will be a good idea o try to create a small tool. Below you'll find the whole story. Here we go...

Today we'll start here:

As the misconfiguration bug is already pretty good explained online[1, 2, 3] my main goal was to focus only on the script code. For a 'quick poc' I decided to stay with python3.

In my 'ideal scenario' what I was looking for was:
- http(s) service available on remote host
- modifying 'Origin' header
- checking for mentioned header echoe'd back in the response...
- ...as well as existence of "other headers" (ex. "Access-Control-Allow-Credentials: true").

So far - we should be somewhere here:

As you'll see (in the code) - script is 'very basic' and can be easily extended. I know. ;) But I'll leave it to you as an exercise. ;)

Continuing - I was wondering how to try CORSare.py with something 'more automated'. And that's how I landed on my previous post about the DNS enumeration:

So my next move was to recreate similar steps and prepare some "semi-automated CORS-scanning" tool ;)

Quick results you'll find below - preparing our 'target list':

Next, some grep's to grab only IP(s):

For now we can continue with the CORSare.py (in a simple bash-for-loop), like this:

After a while - we should be somewhere here:

If you'd like to check your server(s) using this code - below you'll find the current "full version":

---<cut>---

c@box:~/tools/CORSar$ base64 CORSare.py
IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwojIENPUlNhcmUucHkgLSBtaXNjb25maWcgQ09SUyBmaW5k
ZXIKIyAKIyAxMC4wOC4yMDIxIEAgMTg6MzAgCiMgICAnTHVkemllLCBzdG9qYWN5IGphayBqYSAt
IG5hIGtyYXdlZHppIC0gbmllIGJvamEgc2llLCB6ZSBtb2dhIHNwYXNjLiAKIyAgICBUeWxrbywg
emUgbW9nYSBza29jenljLicKIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgTWFyZ2luIENhbGwsIDIwMTEKIyAKCmltcG9ydCByZXF1ZXN0cwppbXBvcnQgc3lz
CmZyb20gdXJsbGliLnBhcnNlIGltcG9ydCB1cmxwYXJzZQpwb3J0cyA9IFs4MCwgNDQzLCA4NDQz
LCA4MDgwLCA4MTAwLCA4MTgwLCA5MTAwIF0KdGFyZ2V0ID0gc3lzLmFyZ3ZbMV0KaW1wb3J0IHVy
bGxpYjMKdXJsbGliMy5kaXNhYmxlX3dhcm5pbmdzKCkKaW1wb3J0IHNvY2tldAoKCnNlc3MgPSBy
ZXF1ZXN0cy5TZXNzaW9uKCkKCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCgoKZGVm
IHNlbmRfbWUoc2NoLHRhcmcscCk6CiAgICBwcmludCgiICAgIFshXSBTZW5kaW5nOiAlczovLyVz
OiVzIiAlIChzY2gsIHRhcmcsIHApKQoKICAgICMgNC4gbWVudGlvbmVkIChiZWxvdyk6IHNlbmRp
bmcgcmVxIGFuZCBjaGVjayBoZWFkZXJzCiAgICBjdXJyZW50X3RhcmdldCA9IHNjaCArICc6Ly8n
ICsgdGFyZyArICc6JyArIHAKCiAgICB0cnk6CgogICAgICAgIGhlYWRlcnMgPSB7fQogICAgICAg
IGhlYWRlcnMudXBkYXRlKHsnVXNlci1BZ2VudCc6ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAx
MC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBD
aHJvbWUvOTAuMC40NDMwLjIxMiBTYWZhcmkvNTM3LjM2JyB9KQogICAgICAgIHJlcSA9IHNlc3Mu
cG9zdChjdXJyZW50X3RhcmdldCwgaGVhZGVycz1oZWFkZXJzLCB2ZXJpZnk9RmFsc2UsIHRpbWVv
dXQ9MSkKICAgICAgICByZXNwX2hlYWRzID0gcmVxLmhlYWRlcnMKCiAgICAgICAgcHJpbnQoIiAg
ICBbK10gcmVzcG9uc2UgZm9yIGN1cnJlbnQgaGVhZGVyczoiKQogICAgICAgIHByaW50KHJlc3Bf
aGVhZHMpCgoKICAgICAgICAjIHVwZGF0aW5nIGhlYWRlcnM6CiAgICAgICAgb3JpZ2luYWxfcHJh
bmtzdGVyID0geydPcmlnaW4nOidodHRwczovL3NpYWxhbGEuc3VwZXIub3JpZ2luYWwnfQogICAg
ICAgIGhlYWRlcnMudXBkYXRlKG9yaWdpbmFsX3ByYW5rc3RlcikgCiAgICAgICAgcHJpbnQoIiAg
ICBbaV0gcmVzZW5kaW5nIHVwZGF0ZWQgKGV2aWwpIGhlYWRlcnMuLi4iKQogICAgICAgIHByaW50
KCIgICAgW2ldIGV2aWwgaGVhZGVyczogJXMiICUgaGVhZGVycykKCgogICAgICAgIHJlcSA9IHNl
c3MucG9zdChjdXJyZW50X3RhcmdldCwgaGVhZGVycz1oZWFkZXJzLCB2ZXJpZnk9RmFsc2UsIHRp
bWVvdXQ9MSkKICAgICAgICByZXNwX2hlYWRzMiA9IHJlcS5oZWFkZXJzCiAgICAgICAgcHJpbnQo
IiAgICBbPl0gdXBkYXRlZCBoZWFkZXJzIGluIHJlc3BvbnNlOiIpCiAgICAgICAgcHJpbnQocmVz
cF9oZWFkczIpCgoKICAgICAgICBmb3Igayx2IGluIHJlc3BfaGVhZHMyLml0ZW1zKCk6CiAgICAg
ICAgICAgIGlmICdBY2Nlc3MtQ29udHJvbC1BbGxvdy1DcmVkZW50aWFscycgaW4gazoKICAgICAg
ICAgICAgICAgIGlmIHYgPT0gJ3RydWUnOgogICAgICAgICAgICAgICAgICAgIHByaW50KCIgICBb
ISEhXSAgQWNjZXNzLUNvbnRyb2wtQWxsb3ctQ3JlZGVudGlhbHM6IHRydWUgICAgICAgICAgICAg
ICAgICAgICAgICAgIDwtLS0tLS0tLSBTVEVQIDEvMiBMT09LUyBDT1JSRUNUICEgKGxvb2sgZm9y
IHN0ZXAgMi8yIC0+IGlmIG5vdCBmb3VuZCwgcHJvYmFibHkgaXQgd2lsbCBiZSBhICdmYWxzZSBw
b3NpdGl2ZScgZm9yIG91ciBwdXJwb3NlKCQpIikKCiAgICAgICAgICAgIGlmICdzaWFsYWxhJyBp
biB2OgogICAgICAgICAgICAgICAgcHJpbnQoIktleTogJXMgd2l0aCB2YWx1ZTogJXMiICUgKGss
diApKQogICAgICAgICAgICAgICAgcHJpbnQoIiAgICBbISEhXSBGT1VORCBPUklHSU5BTCBQUkFO
S1NURVI6ICVzOi8vJXM6JXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8LS0tLS0t
LS0tLS0gVkVSSUZZIE5PVyAoMi8yKSAhIChsb29rcyBnb29kISBwbGVhc2UgY2hlY2sgZGV0YWls
ZWQgbG9nIGZpbGUpIiAlIChzY2gsIHRhcmcsIHApKQoKCgoKCgogICAgICAgIHByaW50KCIgLS0g
dGVzdCBmb3IgJXM6JXMgaXMgZmluaXNoZWQgLS0gbmV4dCB0ZXN0IGJlbG93OiAtLSBcbiIgJSAo
dGFyZywgcCkpCiAgICBleGNlcHQgcmVxdWVzdHMuZXhjZXB0aW9ucy5TU0xFcnJvciBhcyBlOgog
ICAgICAgIHByaW50KCIgICAgWy1dIEVycm9yOiAlcyAiICUgZSkKICAgIGV4Y2VwdCBzb2NrZXQu
Z2FpZXJyb3IgYXMgZToKICAgICAgICBwcmludCgiICAgIFstXSBFcnJvcjogJXMiICUgZSkKICAg
IGV4Y2VwdCBzb2NrZXQudGltZW91dCBhcyBlOgogICAgICAgIHByaW50KCIgICAgWy1dIEVycm9y
OiAlcyAiICUgZSkKCiAgICBleGNlcHQgdXJsbGliMy5leGNlcHRpb25zLk5ld0Nvbm5lY3Rpb25F
cnJvciBhcyBlOgogICAgICAgIHByaW50KCIgICAgWy1dIEVycm9yOiAlcyAiICUgZSkKCiAgICBl
eGNlcHQgdXJsbGliMy5leGNlcHRpb25zLlJlYWRUaW1lb3V0RXJyb3IgYXMgZToKICAgICAgICBw
cmludCgiICAgIFstXSBFcnJvcjogJXMgIiAlIGUpCgogICAgZXhjZXB0IHJlcXVlc3RzLmV4Y2Vw
dGlvbnMuQ29ubmVjdGlvbkVycm9yIGFzIGU6CiAgICAgICAgcHJpbnQoIiAgICBbLV0gRXJyb3I6
ICVzICIgJSBlKQoKICAgIGV4Y2VwdCB1cmxsaWIzLmV4Y2VwdGlvbnMuTWF4UmV0cnlFcnJvciBh
cyBlOgogICAgICAgIHByaW50KCIgICAgWy1dIEVycm9yOiAlcyAiICUgZSkKCiAgICBleGNlcHQg
dXJsbGliMy5leGNlcHRpb25zLk5ld0Nvbm5lY3Rpb25FcnJvciBhcyBlOgogICAgICAgIHByaW50
KCIgICAgWy1dIEVycm9yOiAlcyAiICUgZSkKCiAgICBleGNlcHQgcmVxdWVzdHMuZXhjZXB0aW9u
cy5SZWFkVGltZW91dCBhcyBlOgogICAgICAgIHByaW50KCIgICAgWy1dIEVycm9yOiAlcyAiICUg
ZSkKCiAgICBleGNlcHQgdXJsbGliMy5leGNlcHRpb25zLlJlYWRUaW1lb3V0RXJyb3IgYXMgZToK
ICAgICAgICBwcmludCgiICAgIFstXSBFcnJvcjogJXMgIiAlIGUpCgogICAgZXhjZXB0IHVybGxp
YjMuZXhjZXB0aW9ucy5NYXhSZXRyeUVycm9yICBhcyBlOgogICAgICAgIHByaW50KCIgICAgWy1d
IEVycm9yOiAlcyAiICUgZSkKCiAgICBleGNlcHQgcmVxdWVzdHMuZXhjZXB0aW9ucy5SZWFkVGlt
ZW91dCAgYXMgZToKICAgICAgICBwcmludCgiICAgIFstXSBFcnJvcjogJXMgIiAlIGUpCgogICAg
ZXhjZXB0IHVybGxpYjMuZXhjZXB0aW9ucy5SZWFkVGltZW91dEVycm9yIGFzIGU6CiAgICAgICAg
cHJpbnQoIiAgICBbLV0gRXJyb3I6ICVzICIgJSBlKQoKICAgIGV4Y2VwdCB1cmxsaWIzLmV4Y2Vw
dGlvbnMuTWF4UmV0cnlFcnJvciBhcyBlOgogICAgICAgIHByaW50KCIgICAgWy1dIEVycm9yOiAl
cyAiICUgZSkKCgoKCgojIDEuIHByaW50IHRhcmdldCAKcHJpbnQoIlsrXSBQYXJzaW5nIGN1cnJl
bnQgdGFyZ2V0OiAlcyIgJSB0YXJnZXQpICMgZnJvbSBsaW5lIGluIGxpbmVzLi4uCgojIDJhLiBw
YXJzZSB0YXJnZXQtbGluZQpwYXJzZWQgPSB1cmxwYXJzZSh0YXJnZXQpCgojIDJiLiBjaGVja2lu
ZyBwYXJzZWQgdGFyZ2V0OgpwcmludCgiICBbP10gdGFyZ2V0IHNjaGVtZSA6ICIsIHBhcnNlZC5z
Y2hlbWUpCnByaW50KCIgIFs/XSB0YXJnZXQgbmV0bG9jIDogIiwgcGFyc2VkLm5ldGxvYykKcHJp
bnQoIiAgWz9dIHRhcmdldCBwYXRoICAgOiAiLCBwYXJzZWQucGF0aCkKcHJpbnQoIiAgWz9dIHRh
cmdldCBwb3J0ICAgOiAiLCBwYXJzZWQucG9ydCkKCnByaW50KCIgIFtpXSB0YXJnZXQgcGFyc2Vk
LCBjaGVja2luZzoiKQoKIyAzLiBwcmVwYXJlIHJlcXVlc3QocykgdG8gdGFyZ2V0IChhbmQgcG9y
dHMpCiMgNC4gbmV4dCBzdGVwIGlzIHRvIGxvb2sgZm9yIGludGVyZXN0aW5nIGhlYWRlcnMsIHNv
PyA7XQoKaWYgcGFyc2VkLnNjaGVtZSA9PSAnaHR0cHMnOgogICAgIyBwcmludCgiZm91bmQgaHR0
cHMiKQoKICAgICMgcHJlcGFyaW5nIHRhcmdldCBmb3IgcG9ydHM6CiAgICBmb3IgcG9ydCBpbiBw
b3J0czoKICAgICAgICBwcmVwYXJpbmdfdGFyZ2V0ID0gcGFyc2VkLnNjaGVtZSArICc6Ly8nICsg
dGFyZ2V0ICsgJzonICsgc3RyKHBvcnQpCiAgICAgICAgcHJpbnQoIiAgWytdIHByZXBhcmVkIHBh
cnNlZCB0YXJnZXQ6ICVzIiAlIHByZXBhcmluZ190YXJnZXQpCgogICAgICAgIHNlbmRfbWUocGFy
c2VkLnNjaGVtZSwgdGFyZ2V0LCBzdHIocG9ydCkpCgoKZWxpZiBwYXJzZWQuc2NoZW1lID09ICdo
dHRwJzoKICAgICMgcHJpbnQoImZvdW5kIGh0dHAiKQoKICAgICMgcHJlcGFyaW5nIHRhcmdldCBm
b3IgcG9ydHM6CiAgICBmb3IgcG9ydCBpbiBwb3J0czoKICAgICAgICBwcmVwYXJpbmdfdGFyZ2V0
ID0gcGFyc2VkLnNjaGVtZSArICc6Ly8nICsgdGFyZ2V0ICsgJzonICsgc3RyKHBvcnQpCiAgICAg
ICAgcHJpbnQoIiAgWytdIHByZXBhcmVkIHBhcnNlZCB0YXJnZXQ6ICVzIiAlIHByZXBhcmluZ190
YXJnZXQpCiAgICAgICAgc2VuZF9tZShwYXJzZWQuc2NoZW1lLCB0YXJnZXQsIHN0cihwb3J0KSkK
CgplbHNlOgogICAgIyBwcmludCgicHJvYmFibHkgbm8gc2NoZW1lIGZvdW5kLCBzbyBjaGVja2lu
ZyBodHRwIGFzIGEgZGVmYXVsdCIpCgogICAgIyBwcmVwYXJpbmcgdGFyZ2V0IGZvciBwb3J0czoK
ICAgIGZvciBwb3J0IGluIHBvcnRzOgogICAgICAgIHByZXBhcmluZ190YXJnZXQgPSAnaHR0cHM6
Ly8nICsgdGFyZ2V0ICsgJzonICsgc3RyKHBvcnQpCiAgICAgICAgcHJpbnQoIiAgWytdIHByZXBh
cmVkIHBhcnNlZCAobm8gc2NoZW1lKSB0YXJnZXQ6ICVzIiAlIHByZXBhcmluZ190YXJnZXQpCiAg
ICAgICAgcGFyc2VkX3NjaGVtZSA9ICdodHRwcycKICAgICAgICBzZW5kX21lKHBhcnNlZF9zY2hl
bWUsIHRhcmdldCwgc3RyKHBvcnQpKQoKCgoKCgo=
c@box:~/tools/CORSar$

---</cut>---

Maybe you'll find it useful. ;)

In case of any questions - feel free to ask.

See you next time!

Cheers