RYDE-WORK/CORStest
1
0
Fork 0
mirror of https://github.com/RYDE-WORK/CORStest.git synced 2026-01-19 21:23:20 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

It's 2020 and we're Python 3 compatible :)

Browse Source
This commit is contained in:
jensvoid 2020-08-14 21:46:07 +02:00 committed by GitHub
parent 5fbc6f95e5
commit beffd0b316
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -3,7 +3,7 @@
**Based on the research of [James Kettle](https://twitter.com/albinowax)** **Based on the research of [James Kettle](https://twitter.com/albinowax)**
CORStest is a *quick & dirty* Python 2 tool to find Cross-Origin Resource Sharing ([CORS](https://www.w3.org/TR/cors/)) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain `Origin` request header and checking for the `Access-Control-Allow-Origin` response header: CORStest is a *quick & dirty* Python 3 tool to find Cross-Origin Resource Sharing ([CORS](https://www.w3.org/TR/cors/)) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain `Origin` request header and checking for the `Access-Control-Allow-Origin` response header:
- **Developer backdoor:** Insecure dev origins like JSFiddle or CodePen are allowed to access this resource - **Developer backdoor:** Insecure dev origins like JSFiddle or CodePen are allowed to access this resource
- **Origin reflection:** The origin is simply echoed in ACAO header, any site is allowed to access this resource - **Origin reflection:** The origin is simply echoed in ACAO header, any site is allowed to access this resource