def passive_tests(url, headers): root = host(url) acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None) if acao_header == '*': info = details['wildcard value'] info['acao header'] = acao_header info['acac header'] = acac_header return {url : info} if root: if host(acao_header) and root != host(acao_header): info = details['third party allowed'] info['acao header'] = acao_header info['acac header'] = acac_header return {url : info}
def passive_tests(url, acao_header): root = host(url) if acao_header == '*': return 'Wildcard value' if root: if root != host(acao_header): print(acao_header) return 'Third party allowed' elif url.startswith('http://'): return 'HTTP origin allowed' else: return False else: return 'Invalid value'
def cors(target, header_dict, delay): url = target root = host(url) parsed = urlparse(url) netloc = parsed.netloc scheme = parsed.scheme url = scheme + '://' + netloc return active_tests(url, root, scheme, header_dict, delay)
def passive_tests(url, headers): results = [] root = host(url) acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header == "*": info = details["wildcard value"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) if root: if host(acao_header) and root != host(acao_header): info = details["third party allowed"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info})
def cors(target, delay, scheme=False): url = target if not target.startswith(('http://', 'https://')): url = scheme + '://' + url root = host(url) parsed = urlparse(url) netloc = parsed.netloc scheme = parsed.scheme url = scheme + '://' + netloc active = active_tests(url, root, scheme, delay) return active
def cors(target, header_dict, delay): url = target root = host(url) parsed = urlparse(url) netloc = parsed.netloc scheme = parsed.scheme url = scheme + '://' + netloc + parsed.path try: return active_tests(url, root, scheme, header_dict, delay) except ConnectionError as exc: print('%s Unable to connect to %s' % (bad, root))
def cors(target, header_dict, delay): url = target root = host(url) parsed = urlparse(url) netloc = parsed.netloc scheme = parsed.scheme url = scheme + '://' + netloc try: return active_tests(url, root, scheme, header_dict, delay) except ConnectionError as exc: print(f'[WARNING] Unable to connect to {target}: {exc}')
def active_tests(url, root, scheme, delay, insecure=False): acao_header = requester(url, scheme, 'example.com', insecure) if acao_header: if acao_header == (scheme + 'example.com'): return 'Origin reflected' time.sleep(delay) acao_header = requester(url, scheme, root + '.example.com', insecure) if acao_header: if acao_header == (scheme + root + '.example.com'): return 'Post-domain wildcard' time.sleep(delay) acao_header = requester(url, scheme, 'd3v' + root, insecure) if acao_header: if acao_header == (scheme + 'd3v' + root): return 'Pre-domain wildcard' time.sleep(delay) acao_header = requester(url, '', 'null', insecure) if acao_header: if acao_header == 'null': return 'Null origin allowed' time.sleep(delay) acao_header = requester(url, scheme, root + '%60.example.com', insecure) if acao_header: if '`.example.com' in acao_header: return 'Broken parser' if root.count('.') > 1: time.sleep(delay) spoofed_root = root.replace('.', 'x', 1) acao_header = requester(url, scheme, spoofed_root, insecure) if acao_header: if host(acao_header) == spoofed_root: return 'Unescaped regex' time.sleep(delay) acao_header = requester(url, 'http', root, insecure) if acao_header: if acao_header.startswith('http://'): return 'HTTP origin allowed' else: return passive_tests(url, acao_header)
def active_tests(url, root, scheme, header_dict, delay): results = [] headers = requester(url, scheme, header_dict, "example.com") if headers: acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and acao_header == (scheme + "://" + "example.com"): info = details["origin reflected"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) time.sleep(delay) headers = requester(url, scheme, header_dict, root + ".example.com") if headers: acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and acao_header == (scheme + "://" + root + ".example.com"): info = details["post-domain wildcard"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) time.sleep(delay) headers = requester(url, scheme, header_dict, "d3v" + root) if headers: acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and acao_header == (scheme + "://" + "d3v" + root): info = details["pre-domain wildcard"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) time.sleep(delay) headers = requester(url, "", header_dict, "null") if headers: acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and acao_header == "null": info = details["null origin allowed"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) time.sleep(delay) headers = requester(url, scheme, header_dict, root + "%60.example.com") if headers: acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and "`.example.com" in acao_header: info = details["broken parser"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) time.sleep(delay) if root.count(".") > 1: spoofed_root = root.replace(".", "x", 1) headers = requester(url, scheme, header_dict, spoofed_root) acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and host(acao_header) == spoofed_root: info = details["unescaped regex"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) time.sleep(delay) headers = requester(url, "http", header_dict, root) if headers: acao_header, acac_header = ( headers["access-control-allow-origin"], headers.get("access-control-allow-credentials", None), ) if acao_header and acao_header.startswith("http://"): info = details["http origin allowed"] info["acao header"] = acao_header info["acac header"] = acac_header results.append({url: info}) else: pt = passive_tests(url, headers) if pt is not None: if len(pt) > 0: for r in pt: results.append(r) return results
def active_tests(url, root, scheme, header_dict, delay): headers = requester(url, scheme, header_dict, 'example.com') if headers: acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and acao_header == (scheme + 'example.com'): info = details['origin reflected'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} elif not acao_header: return time.sleep(delay) headers = requester(url, scheme, header_dict, root + '.example.com') acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and acao_header == (scheme + root + '.example.com'): info = details['post-domain wildcard'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} time.sleep(delay) headers = requester(url, scheme, header_dict, 'd3v' + root) acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and acao_header == (scheme + 'd3v' + root): info = details['pre-domain wildcard'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} time.sleep(delay) headers = requester(url, '', header_dict, 'null') acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and acao_header == 'null': info = details['null origin allowed'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} time.sleep(delay) headers = requester(url, scheme, header_dict, root + '%60.example.com') acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and '`.example.com' in acao_header: info = details['broken parser'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} time.sleep(delay) if root.count('.') > 1: spoofed_root = root.replace('.', 'x', 1) headers = requester(url, scheme, header_dict, spoofed_root) acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and host(acao_header) == spoofed_root: info = details['unescaped regex'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} time.sleep(delay) headers = requester(url, 'http', header_dict, root) acao_header, acac_header = headers[ 'access-control-allow-origin'], headers.get( 'access-control-allow-credentials', None) if acao_header and acao_header.startswith('http://'): info = details['http origin allowed'] info['acao header'] = acao_header info['acac header'] = acac_header return {url: info} else: return passive_tests(url, headers)