Merge branch 'master' into master

README.md

@@ -63,13 +63,9 @@ Using Corsy is pretty simple
 - Backtick bypass
 - Null origin bypass
 - Unescaped dot bypass
+- Underscore bypass
 - Invalid value
 - Wild card value
 - Origin reflection test
 - Third party allowance test
 - HTTP allowance test
-### Support the developer
-Liked the project? Donate a few bucks to motivate me to keep writing code for free.
-
-- [Paypal](https://www.paypal.me/s0md3v)
-- [Patreon](https://www.patreon.com/s0md3v)

core/tests.py

@@ -62,6 +62,15 @@ def active_tests(url, root, scheme, header_dict, delay):
             return {url : info}
         time.sleep(delay)
 
+        headers = requester(url, scheme, header_dict, root + '_.example.com')
+        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
+        if acao_header and '_.example.com' in acao_header:
+            info = details['unrecognized underscore']
+            info['acao header'] = acao_header
+            info['acac header'] = acac_header
+            return {url : info}
+        time.sleep(delay)
+
         headers = requester(url, scheme, header_dict, root + '%60.example.com')
         acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
         if acao_header and '`.example.com' in acao_header:

core/utils.py

@@ -1,13 +1,14 @@
 import os
-import tld
+import re
 import json
 import tempfile
 import re
 
+from urllib.parse import urlparse
 
 def host(string):
     if string and '*' not in string:
-        return tld.get_fld(string, fix_protocol=True, fail_silently=True)
+        return urlparse(string).netloc
 
 
 def load_json(file):

corsy.py

@@ -4,6 +4,7 @@
 import sys
 import json
 import argparse
+from requests.exceptions import ConnectionError
 
 from core.tests import active_tests
 from core.utils import host, prompt, format_result, extractHeaders, create_url_list, create_stdin_list
@@ -69,8 +70,10 @@ def cors(target, header_dict, delay):
     netloc = parsed.netloc
     scheme = parsed.scheme
     url = scheme + '://' + netloc + parsed.path
-    return active_tests(url, root, scheme, header_dict, delay)
+    try:
-
+        return active_tests(url, root, scheme, header_dict, delay)
+    except ConnectionError as exc:
+        print('%s Unable to connect to %s' % (bad, root))
 
 if urls:
     if len(urls) > 1:

db/details.json

@@ -48,6 +48,12 @@
 		"severity" : "low",
 		"exploitation" : "Sniff requests made over the unencrypted channel."
 	},
+	"unrecognized underscore" : {
+		"class" : "unrecognized underscore",
+		"description" : "The origin verification is flawed and can be bypassed using a underscore (_).",
+		"severity" : "high",
+		"exploitation" : "Set the 'Origin' header to target.com_.example.com"
+	},
 	"broken parser" : {
 		"class" : "broken parser",
 		"description" : "The origin verification is flawed and can be bypassed using a backtick (`).",

requirements.txt

@@ -1,2 +1 @@
-tld
 requests