This extension can be used to test websites for CORS misconfigurations. It can spot trivial misconfigurations like arbitrary origin reflection, but also more sublte ones where a regex is not properly configured (e.g. www.victim.com.attacker.com). An issue is created if a dangeours origin is reflected. If Access-Control-Allow-Credentials: true is also set, the issue is rated high, otherwise low. Finally, the user has to decide whether the reflected Origin is intended (e.g. CDN) or whether it is a security issue.

CORS* - Additional CORS Checks can be run in either automatic or manual mode.

• In the CORS* tab, the extension can be activated.
• If activated, the extension will test CORS misconfigurations for each proxy request by sending multiple requests with different origins.
• There are options to only endable it for in-scope items and to exclude requests with certain file extensions.
• The URL for CORS Request is used to test for arbitrary reflection and as prefix/suffix in testing regex misconfigurations.

• If a potential misconfiguration is discovered, the request is highlighted in red (see request #3 above).
• The request here does reflect the null origin and has Access-Control-Allow-Credentials: true set.

• If an issue is detected, it is also reported in the Target and Dashboard tabs.

• Requests can be added to CORS* using the extension menu.

• The requests to test for CORS misconfiguration can then be sent using the Send CORS requests for selected entry button.

Start Burp and navigate to the Extender tab, Extensions, Add. Choose the CORS* - Additional_CORS_Checks JAR file to install the extension.

The easy way to install CORS* - Additional CORS Checks is using the BApp Store. Open Burp and navigate to the Extender tab, then to the BApp Store tab. Select CORS* and hit the Install button to install the extension.

• Yves Bieri (Github: ybieri, Twitter: yves_bieri)

Thanks to https://github.com/chenjj/CORScanner for the inspiration and https://github.com/portswigger/bookmarks for the Burp template.