|
1 | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
2 | | -Huntin method 1(Single target): |
| 1 | +# Misconfigured CORS |
| 2 | + Here are few methods and steps you can do to check for misconfigure cors. |
| 3 | + |
| 4 | +* Hunting method 1(Single target): |
| 5 | + |
| 6 | +``` |
3 | 7 | Step->1. Capture the target website and spider or crawl all the website using burp. |
4 | 8 | Step->2. Use burp search look for Access-Control |
5 | 9 | Step->3. Try to add Origin Header i.e,Origin:attacker.com or Origin:null or Origin:attacker.target.com or Origin:target.attacker.com |
6 | 10 | Step->4 If origin is reflected in response means the target is vuln to CORS |
7 | | - |
| 11 | +``` |
8 | 12 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
9 | 13 |
|
10 | | -Hunting method 2(mutliple means including subdomains): |
11 | | - |
| 14 | +* Hunting method 2(mutliple means including subdomains): |
| 15 | +``` |
12 | 16 | step 1-> find domains i.e subfinder -d target.com -o domains.txt |
13 | 17 | step 2-> check alive ones : cat domains.txt | httpx | tee -a alive.txt |
14 | 18 | step 3-> send each alive domain into burp i.e, cat alive.txt | parallel -j 10 curl --proxy "http://127.0.0.1:8080" -sk 2>/dev/null |
15 | 19 | step 4-> Repeat hunting method 1 |
16 | | - |
| 20 | +``` |
17 | 21 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
18 | 22 |
|
19 | | -#Both above method are manual methods so lets check an automated way |
20 | | -#tools : link1:https://github.com/chenjj/CORScanner |
21 | | - link2:https://github.com/lc/theftfuzzer |
22 | | - link3:https://github.com/s0md3v/Corsy |
23 | | - link4:https://github.com/Shivangx01b/CorsMe |
24 | | -Automate Way : |
| 23 | +* Both above method are manual methods so lets check an automated way |
| 24 | +# Tools |
| 25 | +* [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner) |
| 26 | +* [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer) |
| 27 | +* [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy) |
| 28 | +* [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe) |
25 | 29 |
|
| 30 | +# Automate Way : |
| 31 | +``` |
26 | 32 | step1-> find domains i.e, subfinder -d domain.com -o target.txt |
27 | 33 | step2-> grep alive: cat target.txt | httpx | tee -a alive.txt |
28 | 34 | step3-> grep all urls using waybackurls by @tomnomnom and gau tool i.e,cat alive.txt | gau | tee -a urls.txt |
29 | 35 | step4-> run any of these tools on each url |
30 | 36 | step5-> configure the manually |
31 | | - |
32 | | -Thanks for bypass I will add this in my bypass notes. |
33 | | - |
34 | | - |
| 37 | +``` |
35 | 38 | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
36 | 39 |
|
37 | | -#Another Method |
38 | | -#Tools: link1:https://github.com/tomnomnom/meg |
39 | | - link2:https://github.com/tomnomnom/gf |
40 | | - link3:https://github.com/projectdiscovery/subfinder |
41 | | - link4:https://github.com/tomnomnom/assetfinder |
42 | | - link5:https://github.com/Edu4rdSHL/findomain |
43 | | - link6:https://github.com/projectdiscovery/httpx |
44 | | - |
45 | | -Steps:- |
| 40 | +# Another Method |
46 | 41 |
|
| 42 | +### Tools You Will Need for this method. |
| 43 | +* [https://github.com/tomnomnom/meg](https://github.com/tomnomnom/meg) |
| 44 | +* [https://github.com/tomnomnom/gf](https://github.com/tomnomnom/gf) |
| 45 | +* [https://github.com/projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder) |
| 46 | +* [https://github.com/tomnomnom/assetfinder](https://github.com/tomnomnom/assetfinder) |
| 47 | +* [https://github.com/Edu4rdSHL/findomain](https://github.com/Edu4rdSHL/findomain) |
| 48 | +* [https://github.com/projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) |
| 49 | + |
| 50 | +### Steps |
| 51 | +``` |
47 | 52 | 1) Find Domains with the help of subfinder,assetfinder,findomain i.e , subfinder -d target.com | tee -a hosts1 , findomain -t target.com | tee -a hosts1 , assetfinder --subs-only target.com |tee -a hosts1 . |
48 | 53 | 2) Then cat hosts1 | sort -u | tee -a hosts2 and then cat hosts2 | httpx | tee -a hosts . |
49 | 54 | 3) Navigate through terminal where hosts file is located echo "/" > paths |
50 | 55 | 4) Then type meg -v |
51 | 56 | 5) After the completion of process type gf cors. |
52 | 57 | 6) All the urls with Access-Control-Allow will be displayed. |
| 58 | +``` |
53 | 59 |
|
| 60 | +# Authors |
| 61 | +* [@Virdoex_hunter](https://twitter.com/Virdoex_hunter) |
0 commit comments