README
¶
gocors
A tool for scanning domains for CORS misconfigurations written in Go.
Final project for COMP 424 Software Security
Professor: Dr. Wonju Lee
By:
Sabra Bilodeau
Sally Chung
Misconfigurations Tested
gocors tests the follow CORS misconfigurations:
- Backtick Bypass
- HTTP Origin
- Origin Reflection
- Null Origin
- Post-Domain Bypass
- Pre-Domain Bypass
- Special Characters Bypass
- Third Party Origin
- Underscore Bypass
- Unescaped Dot Bypass
- Wildcard Origin
For more information on each, including sample exploits and possible fixes for the vulnerabilities, please click the link provided.
Installation
Clone the repository:
git clone https://github.com/Cryliss/gocors.git
Change directories to the repository's directory:
cd gocors
Build the application:
make build
Usage
Simple Scans
To run a scan on a signle URL, use ./gocors -url https://example.com.
To run scans on multiple URLs, save the URLs to a .txt file and run the program like so:
./gocors -input global_top_100_domains.txt
Configurable Scans
To add additional configuration to a request, there are two options.
- Add any of the following command line flags to your input
- Update the provided
conf.jsonto reflect your desired configuration.
CLI flags
| Flag | Description | Default |
|---|---|---|
| -url | The URL to scan for CORS misconfiguration | "" |
| -headers | Include headers | "" |
| -method | Include another method other than GET |
"GET" |
| -input | A text file with a list of domains or a json configuration file | "" |
| -threads | Number of threads to use for the scan | 10 |
| -output | Directory to save the results to a JSON file. | "" |
| -timeout | Set requests timeout | "10s" |
| -proxy | Use a proxy (HTTP) | "" |
| -h | Show the help information & exit | N/A |
| -verbose | Enables the UI to display realtime results | false |
Example Usage of the CLI flags
- URL:
./gocors -url https://example.com - Headers:
./gocors -url https://example.com -headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked" - Method:
./gocors -url https://example.com -method POST - Input:
./gocors -input global_top_100_domains.txt - Threads:
./gocors -url https://example.com -threads 20 - Output:
./gocors -url https://example.com -output "/path/to/your/results/directory/" - Timeout:
./gocors -url https://example.com -timeout 20s - Proxy:
./gocors -url https://example.com -proxy http://127.0.0.1:4545 - Verbose:
./gocors -url https://example.com -verbose true
Using gocors in your own application
Run go get github.com/Cryliss/gocors in your terminal.
package main
import (
"github.com/Cryliss/gocors"
"github.com/Cryliss/gocors/scanner"
)
func main() {
// Set our scanner configuration variables
output := "/path/to/your/output/directory"
timeout := "10s"
threads := 10
// Create a new scanner.
corsScanner := gocors.InitGoCors(output, timeout, threads)
/*
In order to start running tests with gocors, we need to create them first.
Creating tests requires an array of domain names, a scanner.Headers variable
which is a map[string]string of header name-value pairs, a request method and
a proxy URL. If you want to set custom headers, do:
headers["cookie"] = "SESSION=Hacked"
After creating our headers variable and domain names, then we can call the create
tests function, which will set scanner.Conf.Tests value at the end.
*/
var headers scanner.Headers
domains := []string{"https://www.instagram.com/"}
corsScanner.CreateTests(domains, headers, "GET", "")
// Now that we have our tests set, we can go ahead and start the scanner.
// Once the scan finishes, it will automatically save your results to the output
// directory, if one is provided.
corsScanner.Start()
}
Directories