Add option to use request's host header for CORS tests
Opened this issue · 1 comments
The tool currently scans for pre/post/sub-domain misconfigurations if the request you supply already has an Origin header, but this means you need to supply a cross-origin domain to begin with. If the site (e.g. Vulnerable.com) is already making CORS requests (Origin: sistersite.com), they'll just use that. If the site isn't already making CORS requests, it's likely a tester will just include their own domain as a basic test and let the tool do the work (e.g. Origin: attacker.com).
However, since you're basing the pre/post/sub-domain misconfig checks on the Origin header that was supplied, it's possible you're missing some test cases. For example, if we assume the site is configured to respond with CORS headers for the origin sistersite.com and *vulnerable.com, we won't detect the second misconfiguration.
My suggestion is to also add pre/post/sub-domain misconfig checks using the site's Host header. I don't mean modifying the Host header here, as like you said this would be a separate tool. Instead I'm just recommending that the tool constructs new Origin headers, using the original Host header as test cases.
For example:
GET /api/example HTTP/1.1
Host: vulnerable.com
Origin: sistersite.com
Connection: close
Existing Test cases:
Origin: https://scarymonstersistersite.com #Pre-domain Injection
Origin: https://sistersite.com.scarymonster.com #Post-domain Injection
Origin: https://scarymonster.sistersite.com #Sub-domain Injection
Test cases to be added:
Origin: https://scarymonstervulnerable.com
Origin: https://vulnerable.com.scarymonster.com
Origin: https://scarymonster.vulnerable.com
Will be adding a PR for this shortly.