34 lines
851 B
YAML
34 lines
851 B
YAML
id: xpl-cors-misconfig
|
|
info:
|
|
name: "CORS Misconfiguration (Origin Reflection)"
|
|
author: imtaqin
|
|
severity: medium
|
|
description: |
|
|
The server reflects an attacker-controlled Origin header and
|
|
also sets Access-Control-Allow-Credentials:true — a classic
|
|
account-takeover primitive.
|
|
tags:
|
|
- cors
|
|
- misconfig
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/"
|
|
- "{{BaseURL}}/api/user"
|
|
- "{{BaseURL}}/api/me"
|
|
headers:
|
|
Origin: "https://evil.example"
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: header
|
|
regex:
|
|
- "(?i)access-control-allow-origin:\\s*https://evil\\.example"
|
|
name: origin-reflected
|
|
- type: regex
|
|
part: header
|
|
regex:
|
|
- "(?i)access-control-allow-credentials:\\s*true"
|
|
name: credentials-enabled
|