Corsy v1.0 - CORS Misconfiguration Scanner


Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.

Requirements
Corsy only works with Python 3 and has the following depencies:
  • tld
  • requests
To install these dependencies, navigate to Corsy directory and execute pip3 install -r requirements.txt

Usage
Using Corsy is pretty simple
python3 corsy.py -u https://example.com

Scan URLs from a file
python3 corsy.py -i /path/urls.txt

Number of threads
python3 corsy.py -u https://example.com -t 20

Delay between requests
python3 corsy.py -u https://example.com -d 2

Export results to JSON
python3 corsy.py -i /path/urls.txt -o /path/output.json

Custom HTTP headers
python3 corsy.py -u https://example.com --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"

Skip printing tips
-q can be used to skip printing of description, severity, exploitation fields in the output.

Tests implemented
  • Pre-domain bypass
  • Post-domain bypass
  • Backtick bypass
  • Null origin bypass
  • Unescaped dot bypass
  • Invalid value
  • Wild card value
  • Origin reflection test
  • Third party allowance test
  • HTTP allowance test

Corsy v1.0 - CORS Misconfiguration Scanner Corsy v1.0 - CORS Misconfiguration Scanner Reviewed by Zion3R on 8:30 AM Rating: 5