Skip to content

medjahdi/cors

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
core
core
 
 
db
db
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Screenshot.png
Screenshot.png
 
 
cors.py
cors.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation


CORS

CORS Misconfiguration Scanner

Overview

CORS is a lightweight scanner that detects known misconfigurations in Cross-Origin Resource Sharing (CORS) implementations. It performs both active and passive checks, including preflight (OPTIONS) probing, and reports findings in a concise, CI-friendly format.

Screenshot

screenshot

Requirements

  • Python 3.7+
  • Dependencies (installed via requirements.txt):
    • requests
    • colorama (recommended on Windows for colored output)
    • aiohttp (optional; enables async mode)

Install dependencies (Windows PowerShell):

py -m pip install -r requirements.txt

Usage

Basic single target:

py cors.py -u https://example.com

Scan from file and export JSON:

py cors.py -i .\urls.txt -o .\output.json

Optional outputs and CI gating:

py cors.py -i .\urls.txt --jsonl .\output.jsonl --fail-on high

Custom HTTP headers (newline-delimited):

py cors.py -u https://example.com --headers "User-Agent: ExampleBot`nCookie: SID=abc"

Concurrency and delay:

py cors.py -u https://example.com -t 20 -d 2

Async mode (faster for large lists):

py cors.py -i .\urls.txt --async -t 50

Quiet output (hide tips):

py cors.py -u https://example.com -q

What it tests

  • Origin reflection
  • Pre-domain wildcard
  • Post-domain wildcard
  • Backtick parser bypass
  • Null origin allowed
  • Unescaped dot (regex) bypass
  • Underscore bypass
  • Invalid value
  • Wildcard value
  • Third-party allowed
  • HTTP origin allowed
  • Preflight checks (OPTIONS) with advisory for missing Vary: Origin and overly broad preflight

Output

  • Console uses a white/red color theme. Symbols remain readable without colors.
  • JSON (-o) writes a single file with all findings.
  • JSONL (--jsonl) writes one JSON object per line.
  • --fail-on sets a minimum severity causing a non-zero exit code for CI pipelines.

Disclaimer

  • This tool is intended for educational and authorized security testing only. Do not scan systems you do not own or explicitly have permission to test.
  • You are solely responsible for complying with all applicable laws and terms of service.
  • The authors and contributors assume no liability for misuse or damages arising from use of this tool.

Troubleshooting

  • Windows colors: If colors don’t show, ensure colorama is installed (it’s in requirements.txt).
  • Timeouts/redirects: Network hiccups are handled with small retries and an 8s timeout; adjust your wordlists or delays if you see many timeouts.
  • Large scans: Use --async and increase -t conservatively; consider -d to reduce bans.

License

GPL-3.0 (see LICENSE)

About

Misconfiguration Scanner

medjahdi.vercel.app/

Topics

cors cybersecurity penetration-testing cors-middleware cors-enabled security-tools

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages