{"skill":{"slug":"cors-scanner","displayName":"CORS Scanner","summary":"Scan web endpoints for CORS misconfigurations. Detect origin reflection, wildcard policies, null origin acceptance, credential leaks, subdomain trust, HTTP o...","description":"---\nname: cors-scanner\ndescription: Scan web endpoints for CORS misconfigurations. Detect origin reflection, wildcard policies, null origin acceptance, credential leaks, subdomain trust, HTTP origin trust on HTTPS, preflight issues, and private network access. Assign A-F security grades. Use when asked to check CORS, test cross-origin policy, audit CORS headers, scan for CORS vulnerabilities, or check if an API has safe CORS configuration. Triggers on \"CORS\", \"cross-origin\", \"CORS misconfiguration\", \"CORS scan\", \"Access-Control-Allow-Origin\", \"origin reflection\".\n---\n\n# CORS Misconfiguration Scanner\n\nScan web endpoints for dangerous Cross-Origin Resource Sharing policies. Detect misconfigurations that could allow attackers to steal data cross-origin.\n\n## Quick Scan\n\n```bash\npython3 scripts/cors_scan.py https://api.example.com\n```\n\n## Batch Scan\n\n```bash\npython3 scripts/cors_scan.py https://api1.com https://api2.com https://api3.com\n```\n\n## Output Formats\n\n```bash\n# Text (default)\npython3 scripts/cors_scan.py <url>\n\n# JSON\npython3 scripts/cors_scan.py <url> --format json\n\n# Markdown report\npython3 scripts/cors_scan.py <url> --format markdown\n```\n\n## CI/CD Integration\n\n```bash\n# Fail if any URL grades below C\npython3 scripts/cors_scan.py https://api.example.com --min-grade C\necho $?  # 0 = pass, 1 = fail\n```\n\n## What It Checks (13 checks)\n\n| Check | Severity | Description |\n|-------|----------|-------------|\n| Origin reflection | Critical/High | Server reflects arbitrary Origin back as ACAO |\n| Credentials + wildcard | Critical | ACAO: * with ACAC: true (browser-blocked but misconfigured) |\n| Null origin accepted | High/Medium | Origin: null trusted (exploitable via sandboxed iframes) |\n| HTTP origin on HTTPS | High | HTTPS endpoint trusts HTTP origins (MitM risk) |\n| Subdomain wildcard | High | Trusts any subdomain (*.domain.com) |\n| Third-party origin | High | Confirms reflection with different attacker domain |\n| Private network access | High | Allows external sites to reach internal network |\n| Wildcard origin (*) | Medium | ACAO: * on potentially sensitive endpoints |\n| Sensitive headers exposed | Medium | Exposes auth/session headers cross-origin |\n| Wildcard methods | Medium | ACAM: * allows any HTTP method |\n| Wildcard headers | Medium | ACAH: * allows any custom header |\n| Missing max-age | Low | No preflight caching, increased latency |\n| Clean | Info | No misconfigurations detected |\n\n## Grading\n\n| Grade | Meaning |\n|-------|---------|\n| A | No CORS issues detected |\n| B | Minor issues (low severity) |\n| C | Moderate issues (medium severity) |\n| D | Serious issues (high severity or multiple medium) |\n| F | Critical misconfigurations (origin reflection + credentials) |\n\n## Requirements\n\n- Python 3.6+\n- No external dependencies (stdlib only)\n\n## Examples\n\n```\n$ python3 scripts/cors_scan.py https://httpbin.org/get\nCORS Scan: https://httpbin.org/get\nGrade: A\nFindings: 0\n============================================================\n\n⚪ [INFO] No CORS misconfigurations detected\n  The scanned endpoint does not appear to have dangerous CORS policies.\n```\n","tags":{"latest":"1.0.1"},"stats":{"comments":0,"downloads":371,"installsAllTime":1,"installsCurrent":1,"stars":0,"versions":2},"createdAt":1775875999490,"updatedAt":1778492525637},"latestVersion":{"version":"1.0.1","createdAt":1777593651901,"changelog":"- No changes detected in this update.\n- Version 1.0.1 is identical to the previous release.","license":"MIT-0"},"metadata":null,"owner":{"handle":"charlie-morrison","userId":"s17cttbdxry5kkyafjw983mq8s83p4y3","displayName":"charlie-morrison","image":"https://avatars.githubusercontent.com/u/271589886?v=4"},"moderation":null}