-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathcors-01.yaml
38 lines (36 loc) · 1.62 KB
/
cors-01.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
id: cors-01
type: fuzz
info:
name: CORS Misconfiguration
risk: Medium
payloads:
- 'http://example.com'
- 'example.com'
- 'non'
requests:
- generators:
- Header("{{.payload}}[[.original]]", "Origin")
- Header("{{.payload}}[[.original]]", "Referer")
- Header("{{.payload}}{{.Domain}}", "Origin")
- Header("{{.payload}}{{.Domain}}", "Referer")
- Header("{{.payload}}%0a%0d{{.Domain}}", "Referer")
- Header("{{.payload}}%0a%0d{{.Domain}}", "Origin")
detections:
- >-
StringSearch("response","Access-Control-Allow-Origin: {{.payload}}") && StringSearch("response","Access-Control-Allow-Credentials: true")
- >-
StringSearch("response","Access-Control-Allow-Origin: *") && StringSearch("response","Access-Control-Allow-Credentials: true")
- generators:
- Header("{{.payload}}{{.Domain}}", "Origin")
- Header("{{.payload}}{{.Domain}}", "Referer")
- Header("[[.original]]{{.payload}}", "Origin")
- Header("[[.original]]{{.payload}}", "Referer")
- Header("[[.original]]%0a%0d{{.payload}}", "Origin")
- Header("[[.original]]%0a%0d{{.payload}}", "Referer")
detections:
- >-
StringSearch("response","Access-Control-Allow-Origin: [[.original]]{{.payload}}") && StringSearch("response","Access-Control-Allow-Credentials: true")
- >-
RegexSearch("response","Access-Control-Allow-Origin.*{{.payload}}") && StringSearch("response","Access-Control-Allow-Credentials: true")
- >-
StringSearch("response","Access-Control-Allow-Origin: *") && StringSearch("response","Access-Control-Allow-Credentials: true")