def passive_tests(url, headers):
root = host(url)
acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
if acao_header == '*':
info = details['wildcard value']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
if root:
if host(acao_header) and root != host(acao_header):
info = details['third party allowed']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
def passive_tests(url, acao_header):
root = host(url)
if acao_header == '*':
return 'Wildcard value'
if root:
if root != host(acao_header):
print(acao_header)
return 'Third party allowed'
elif url.startswith('http://'):
return 'HTTP origin allowed'
else:
return False
else:
return 'Invalid value'
def cors(target, header_dict, delay):
url = target
root = host(url)
parsed = urlparse(url)
netloc = parsed.netloc
scheme = parsed.scheme
url = scheme + '://' + netloc
return active_tests(url, root, scheme, header_dict, delay)
def passive_tests(url, headers):
results = []
root = host(url)
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header == "*":
info = details["wildcard value"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
if root:
if host(acao_header) and root != host(acao_header):
info = details["third party allowed"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
def cors(target, delay, scheme=False):
url = target
if not target.startswith(('http://', 'https://')):
url = scheme + '://' + url
root = host(url)
parsed = urlparse(url)
netloc = parsed.netloc
scheme = parsed.scheme
url = scheme + '://' + netloc
active = active_tests(url, root, scheme, delay)
return active
def cors(target, header_dict, delay):
url = target
root = host(url)
parsed = urlparse(url)
netloc = parsed.netloc
scheme = parsed.scheme
url = scheme + '://' + netloc + parsed.path
try:
return active_tests(url, root, scheme, header_dict, delay)
except ConnectionError as exc:
print('%s Unable to connect to %s' % (bad, root))
def cors(target, header_dict, delay):
url = target
root = host(url)
parsed = urlparse(url)
netloc = parsed.netloc
scheme = parsed.scheme
url = scheme + '://' + netloc
try:
return active_tests(url, root, scheme, header_dict, delay)
except ConnectionError as exc:
print(f'[WARNING] Unable to connect to {target}: {exc}')
def active_tests(url, root, scheme, delay, insecure=False):
acao_header = requester(url, scheme, 'example.com', insecure)
if acao_header:
if acao_header == (scheme + 'example.com'):
return 'Origin reflected'
time.sleep(delay)
acao_header = requester(url, scheme, root + '.example.com', insecure)
if acao_header:
if acao_header == (scheme + root + '.example.com'):
return 'Post-domain wildcard'
time.sleep(delay)
acao_header = requester(url, scheme, 'd3v' + root, insecure)
if acao_header:
if acao_header == (scheme + 'd3v' + root):
return 'Pre-domain wildcard'
time.sleep(delay)
acao_header = requester(url, '', 'null', insecure)
if acao_header:
if acao_header == 'null':
return 'Null origin allowed'
time.sleep(delay)
acao_header = requester(url, scheme, root + '%60.example.com', insecure)
if acao_header:
if '`.example.com' in acao_header:
return 'Broken parser'
if root.count('.') > 1:
time.sleep(delay)
spoofed_root = root.replace('.', 'x', 1)
acao_header = requester(url, scheme, spoofed_root, insecure)
if acao_header:
if host(acao_header) == spoofed_root:
return 'Unescaped regex'
time.sleep(delay)
acao_header = requester(url, 'http', root, insecure)
if acao_header:
if acao_header.startswith('http://'):
return 'HTTP origin allowed'
else:
return passive_tests(url, acao_header)
def active_tests(url, root, scheme, header_dict, delay):
results = []
headers = requester(url, scheme, header_dict, "example.com")
if headers:
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and acao_header == (scheme + "://" + "example.com"):
info = details["origin reflected"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
time.sleep(delay)
headers = requester(url, scheme, header_dict, root + ".example.com")
if headers:
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and acao_header == (scheme + "://" + root + ".example.com"):
info = details["post-domain wildcard"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
time.sleep(delay)
headers = requester(url, scheme, header_dict, "d3v" + root)
if headers:
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and acao_header == (scheme + "://" + "d3v" + root):
info = details["pre-domain wildcard"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
time.sleep(delay)
headers = requester(url, "", header_dict, "null")
if headers:
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and acao_header == "null":
info = details["null origin allowed"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
time.sleep(delay)
headers = requester(url, scheme, header_dict, root + "%60.example.com")
if headers:
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and "`.example.com" in acao_header:
info = details["broken parser"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
time.sleep(delay)
if root.count(".") > 1:
spoofed_root = root.replace(".", "x", 1)
headers = requester(url, scheme, header_dict, spoofed_root)
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and host(acao_header) == spoofed_root:
info = details["unescaped regex"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
time.sleep(delay)
headers = requester(url, "http", header_dict, root)
if headers:
acao_header, acac_header = (
headers["access-control-allow-origin"],
headers.get("access-control-allow-credentials", None),
)
if acao_header and acao_header.startswith("http://"):
info = details["http origin allowed"]
info["acao header"] = acao_header
info["acac header"] = acac_header
results.append({url: info})
else:
pt = passive_tests(url, headers)
if pt is not None:
if len(pt) > 0:
for r in pt:
results.append(r)
return results
def active_tests(url, root, scheme, header_dict, delay):
headers = requester(url, scheme, header_dict, 'example.com')
if headers:
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and acao_header == (scheme + 'example.com'):
info = details['origin reflected']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
elif not acao_header:
return
time.sleep(delay)
headers = requester(url, scheme, header_dict, root + '.example.com')
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and acao_header == (scheme + root + '.example.com'):
info = details['post-domain wildcard']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
time.sleep(delay)
headers = requester(url, scheme, header_dict, 'd3v' + root)
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and acao_header == (scheme + 'd3v' + root):
info = details['pre-domain wildcard']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
time.sleep(delay)
headers = requester(url, '', header_dict, 'null')
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and acao_header == 'null':
info = details['null origin allowed']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
time.sleep(delay)
headers = requester(url, scheme, header_dict, root + '%60.example.com')
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and '`.example.com' in acao_header:
info = details['broken parser']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
time.sleep(delay)
if root.count('.') > 1:
spoofed_root = root.replace('.', 'x', 1)
headers = requester(url, scheme, header_dict, spoofed_root)
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and host(acao_header) == spoofed_root:
info = details['unescaped regex']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
time.sleep(delay)
headers = requester(url, 'http', header_dict, root)
acao_header, acac_header = headers[
'access-control-allow-origin'], headers.get(
'access-control-allow-credentials', None)
if acao_header and acao_header.startswith('http://'):
info = details['http origin allowed']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url: info}
else:
return passive_tests(url, headers)
