Cross-origin Resource Sharing is not supported by the API provided by recon-web.
chqr1y opened this issue · 4 comments
The CORS policy blocks requests to the recon-web API (like http://127.0.0.1:5000/api/workspaces) made from the JavaScript context of a web page in firefox or chrome. This behavior prevents the use of the API from a JavaScript web application.
I have tested with recon-ng 5.1.1, firefox 68.7.0esr and chromium 81.0.4044.92.
Confirmed.
Is this a show-stopper for something you are working on?
It's not a show-stopper for me (I have patched the core for my project).
Do you want me to work on a fix?
Sure. It should be pretty easy. I've developed several Flask apps that use the Flask-CORS extension. The default configuration is vulnerable to arbitrary origin reflection, but for this app, which isn't intended to be used outside of localhost, that shouldn't be an issue. I suppose Recon-web could always be invoked with a --origin argument that it uses to whitelist the origin. Just an idea.
On a side note, what is this project you're working on? I've not talked to anyone using the API at this point, but there is a lot of possibility and I'm interested in seeing it used.
I agree with you, I'm going to propose the following behavior :
- the default policy is '*' for '/api/*'
- an optional argument '--origin' is added to restrict the CORS to one origin
Another point, my project is a Javascript interface to manipulate in a more convenient way a large amount of OSINT materials.
For now, it's more an experiment to learn ReactJS.
I'll let you know when I have a working POC.