This extension can be used to test websites for CORS misconfigurations.
It can spot trivial misconfigurations like arbitrary origin reflection, but also more sublte ones where a regex is not properly configured (e.g. www.victim.com.attacker.com).
An issue is created if a dangeours origin is reflected. If Access-Control-Allow-Credentials: true
is also set, the issue is rated high, otherwise low. Finally, the user has to decide whether the reflected Origin is intended (e.g. CDN) or whether it is a security issue.
CORS* - Additional CORS Checks
can be run in either automatic
or manual
mode.
- In the
CORS*
tab, the extension can be activated. - If activated, the extension will test CORS misconfigurations for each proxy request by sending multiple requests with different origins.
- There are options to only endable it for in-scope items and to exclude requests with certain file extensions.
- The
URL for CORS Request
is used to test for arbitrary reflection and as prefix/suffix in testing regex misconfigurations.
- If a potential misconfiguration is discovered, the request is highlighted in red (see request #3 above).
- The request here does reflect the
null
origin and hasAccess-Control-Allow-Credentials: true
set.
- If an issue is detected, it is also reported in the
Target
andDashboard
tabs.
- Requests can be added to
CORS*
using the extension menu.
- The requests to test for CORS misconfiguration can then be sent using the
Send CORS requests for selected entry
button.
To install CORS* - Additional CORS Checks
use the BApp Store. Open Burp and navigate to the Extender
tab, then to the BApp Store
tab. Select CORS*
and hit the Install
button to install the extension.
- Yves Bieri (Github: ybieri, Twitter: yves_bieri)
Thanks to https://github.com/chenjj/CORScanner for the inspiration and https://github.com/portswigger/bookmarks for the Burp template.