mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.1 KiB
2.1 KiB
API Reference: Testing CORS Misconfiguration
requests Library
Key Methods for CORS Testing
# Test origin reflection
resp = requests.get(url, headers={"Origin": "https://evil.com"})
# Test preflight
resp = requests.options(url, headers={
"Origin": "https://evil.com",
"Access-Control-Request-Method": "PUT",
"Access-Control-Request-Headers": "Authorization"
})
CORS Response Headers
| Header | Description |
|---|---|
Access-Control-Allow-Origin |
Specifies allowed origin(s) |
Access-Control-Allow-Credentials |
Whether cookies/auth headers are sent |
Access-Control-Allow-Methods |
Allowed HTTP methods for cross-origin |
Access-Control-Allow-Headers |
Allowed request headers |
Access-Control-Expose-Headers |
Headers accessible to JavaScript |
Access-Control-Max-Age |
Preflight cache duration in seconds |
Vulnerability Patterns
| Pattern | Severity | Description |
|---|---|---|
| Origin reflection + credentials | Critical | Any site can read authenticated responses |
| Null origin + credentials | High | Exploitable via sandboxed iframes |
| Wildcard + credentials | Critical | Invalid but sometimes misconfigured |
| Subdomain wildcard trust | Medium | XSS on subdomain enables CORS abuse |
| Regex bypass | High | Prefix/suffix matching allows attacker domains |
| Internal origins trusted | Medium | localhost/10.x accepted in production |
Testing Checklist
- Send
Origin: https://evil.com- check if reflected in ACAO - Send
Origin: null- check if null is accepted - Test subdomain variations of target domain
- Test prefix/suffix bypass:
target.com.evil.com - Test protocol downgrade:
http://instead ofhttps:// - Check preflight Max-Age (>86400 is excessive)
- Verify wildcard
*is not combined with credentials
References
- MDN CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- PortSwigger CORS: https://portswigger.net/web-security/cors
- OWASP CORS Testing: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing