This extension can be used to test websites for CORS misconfigurations.
It can spot trivial misconfigurations like arbitrary origin reflection, but also more sublte ones where a regex is not properly configured (e.g. www.victim.com.attacker.com).
An issue is created if a dangeours origin is reflected. If Access-Control-Allow-Credentials: true is also set, the issue is rated high, otherwise low. Finally, the user has to decide whether the reflected Origin is intended (e.g. CDN) or whether it is a security issue.
CORS* - Additional CORS Checks can be run in either automatic or manual mode.
- In the
CORS*tab, the extension can be activated. - If activated, the extension will test CORS misconfigurations for each proxy request by sending multiple requests with different origins.
- There are options to only endable it for in-scope items and to exclude requests with certain file extensions.
- The
URL for CORS Requestis used to test for arbitrary reflection and as prefix/suffix in testing regex misconfigurations.
- If a potential misconfiguration is discovered, the request is highlighted in red (see request #3 above).
- The request here does reflect the
nullorigin and hasAccess-Control-Allow-Credentials: trueset.
- If an issue is detected, it is also reported in the
TargetandDashboardtabs.
- Requests can be added to
CORS*using the extension menu.
- The requests to test for CORS misconfiguration can then be sent using the
Send CORS requests for selected entrybutton.
To install CORS* - Additional CORS Checks use the BApp Store. Open Burp and navigate to the Extender tab, then to the BApp Store tab. Select CORS* and hit the Install button to install the extension.
- Yves Bieri (Github: ybieri, Twitter: yves_bieri)
Thanks to https://github.com/chenjj/CORScanner for the inspiration and https://github.com/portswigger/bookmarks for the Burp template.