s0md3v/Corsy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed the nested folder, sorry too many commits

Browse Source
This commit is contained in:
duckie
2020-08-21 15:55:10 +05:30
parent a341f4871f
commit 742e3134fe
6 changed files with 0 additions and 274 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Corsy/core/__init__.py
View File

@@ -1 +0,0 @@

21
Corsy/core/colors.py
View File

@@ -1,21 +0,0 @@
import sys
colors = True # Output should be colored
machine = sys.platform # Detecting the os of current system
if machine.lower().startswith(('os', 'win', 'darwin', 'ios')):
colors = False # Colors shouldn't be displayed in mac & windows
if not colors:
end = red = white = green = yellow = grey = run = bad = good = info = que = ''
else:
grey = '\033[37m'
white = '\033[97m'
green = '\033[92m'
red = '\033[91m'
yellow = '\033[93m'
end = '\033[0m'
back = '\033[7;91m'
info = '\033[93m!\033[0m'
que = '\033[94m?\033[0m'
bad = '\033[91m-\033[0m'
good = '\033[92m+\033[0m'
run = '\033[97m~\033[0m'

19
Corsy/core/requester.py
View File

@@ -1,19 +0,0 @@
import urllib3
import requests
from core.colors import bad
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Added better error handling.
# Added verbose options.
def requester(url, scheme, headers, origin):
headers['Origin'] = scheme + origin
try:
response = requests.get(url, headers=headers, verify=False).headers
for key, value in response.items():
if key.lower() == 'access-control-allow-origin':
return response
except requests.exceptions.RequestException as e:
if 'Failed to establish a new connection' in str(e):
print ( ' ' + bad + ' ' + url + ' seems to be down')

92
Corsy/core/tests.py
View File

@@ -1,92 +0,0 @@
import sys
import time
from core.requester import requester
from core.utils import host, load_json
details = load_json(sys.path[0] + '/db/details.json')
def passive_tests(url, headers):
root = host(url)
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header == '*':
info = details['wildcard value']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
if root:
if host(acao_header) and root != host(acao_header):
info = details['third party allowed']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
def active_tests(url, root, scheme, header_dict, delay):
headers = requester(url, scheme, header_dict, 'example.com')
if headers:
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and acao_header == (scheme + 'example.com'):
info = details['origin reflected']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
elif not acao_header:
return
time.sleep(delay)
headers = requester(url, scheme, header_dict, root + '.example.com')
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and acao_header == (scheme + root + '.example.com'):
info = details['post-domain wildcard']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
time.sleep(delay)
headers = requester(url, scheme, header_dict, 'd3v' + root)
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and acao_header == (scheme + 'd3v' + root):
info = details['pre-domain wildcard']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
time.sleep(delay)
headers = requester(url, '', header_dict, 'null')
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and acao_header == 'null':
info = details['null origin allowed']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
time.sleep(delay)
headers = requester(url, scheme, header_dict, root + '%60.example.com')
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and '`.example.com' in acao_header:
info = details['broken parser']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
time.sleep(delay)
if root.count('.') > 1:
spoofed_root = root.replace('.', 'x', 1)
headers = requester(url, scheme, header_dict, spoofed_root)
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and host(acao_header) == spoofed_root:
info = details['unescaped regex']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
time.sleep(delay)
headers = requester(url, 'http', header_dict, root)
acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
if acao_header and acao_header.startswith('http://'):
info = details['http origin allowed']
info['acao header'] = acao_header
info['acac header'] = acac_header
return {url : info}
else:
return passive_tests(url, headers)

78
Corsy/core/utils.py
View File

@@ -1,78 +0,0 @@
import os
import tld
import json
import tempfile
def host(string):
if string and '*' not in string:
return tld.get_fld(string, fix_protocol=True, fail_silently=True)
def load_json(file):
with open(file) as f:
return json.load(f)
def format_result(result):
new_result = {}
for each in result:
if each:
for i in each:
new_result[i] = each[i]
return new_result
def create_url_list(target_url, inp_file):
urls = []
if inp_file:
with open(inp_file, 'r') as file:
for line in file:
if line.startswith(('http://', 'https://')):
urls.append(line.rstrip('\n'))
if target_url and target_url.startswith(('http://', 'https://')):
urls.append(target_url)
return urls
def create_stdin_list(target_url, inp_file):
urls = []
if inp_file:
for line in inp_file.readlines():
if line.startswith(('http://', 'https://')):
urls.append(line.rstrip('\n'))
if target_url and target_url.startswith(('http://', 'https://')):
urls.append(target_url)
return urls
def prompt(default=None):
editor = 'nano'
with tempfile.NamedTemporaryFile(mode='r+') as tmpfile:
if default:
tmpfile.write(default)
tmpfile.flush()
child_pid = os.fork()
is_child = child_pid == 0
if is_child:
os.execvp(editor, [editor, tmpfile.name])
else:
os.waitpid(child_pid, 0)
tmpfile.seek(0)
return tmpfile.read().strip()
def extractHeaders(headers):
headers = headers.replace('\\n', '\n')
sorted_headers = {}
matches = re.findall(r'^?(.*?):\s(.*?)[\n$]', headers)
for match in matches:
header = match[0]
value = match[1]
try:
if value[-1] == ',':
value = value[:-1]
sorted_headers[header] = value
except IndexError:
pass
return sorted_headers

63
Corsy/db/details.json
View File

@@ -1,63 +0,0 @@
{
"wildcard value" : {
"class" : "wildcard value",
"description" : "This host allows requests made from any origin. However, browsers will block all requests to this host by default.",
"severity" : "low",
"exploitation" : "Not possible"
},
"third party allowed" : {
"class" : "third party allowed",
"description" : "This host has whitelisted a third party host for cross origin requests.",
"severity" : "Medium",
"exploitation" : "If the whitelisted host is a code hosting platform such as codepen.io or has an XSS vulnerability, it can be used to exploit this misconfiguration."
},
"origin reflected": {
"class" : "origin reflected",
"description" : "This host allows any origin to make requests to it.",
"severity" : "high",
"exploitation" : "Make requests from any domain you control."
},
"invalid value" : {
"class" : "invalid value",
"description" : "Header's value is invalid, this CORS implementation doesn't work at all.",
"severity" : "low",
"exploitation" : "Not possible"
},
"post-domain wildcard" : {
"class" : "post-domain wildcard",
"description" : "The origin verification is flawed, it allows requests from a host that has this host as a prefix.",
"severity" : "high",
"exploitation" : "Make requests from target.com.attacker.com"
},
"pre-domain wildcard" : {
"class" : "pre-domain wildcard",
"description" : "The origin verification is flawed, it allows requests from a host that has this host as a suffix.",
"severity" : "high",
"exploitation" : "Make requests from attacker-target.com"
},
"null origin allowed" : {
"class" : "null origin allowed",
"description" : "This host allows requests from 'null' origin.",
"severity" : "high",
"exploitation" : "Make requests from a sandboxed iframe."
},
"http origin allowed" : {
"class" : "http origin allowed",
"description" : "This host allows sharing resources over an unencrypted (HTTP) connection.",
"severity" : "low",
"exploitation" : "Sniff requests made over the unencrypted channel."
},
"broken parser" : {
"class" : "broken parser",
"description" : "The origin verification is flawed and can be bypassed using a backtick (`).",
"severity" : "high",
"exploitation" : "Set the 'Origin' header to %60.example.com"
},
"unescaped regex" : {
"class" : "unescaped regex",
"description" : "The regex used for origin verification contains an unescaped dot (.) character.",
"severity" : "high",
"exploitation" : "If the target is sub.example.com, make requests from subxexample.com"
}
}