Add CORS misconfiguration Bambda. (#139)

PortSwiggerRussell · web-flow · commit d71b820a8760 · 2025-09-18T10:33:24.000+01:00
* Add CORS misconfiguration Bambda.

* Use a random string for the domain extension.
diff --git a/CustomScanChecks/CORSMisconfiguration.bambda b/CustomScanChecks/CORSMisconfiguration.bambda
@@ -0,0 +1,53 @@
+id: 46cae4a9-45ff-406a-80bc-c9a0fe630535
+name: CORS misconfiguration
+function: SCAN_CHECK_ACTIVE_PER_REQUEST
+location: SCANNER
+source: |
+  /**
+   * Identifies CORS misconfiguration.
+   * @author PortSwigger
+   **/
+
+  if (!requestResponse.hasResponse())
+  {
+      return null;
+  }
+
+  var evilHttps = "https://" + api().utilities().randomUtils().randomString(6) + "." + api().utilities().randomUtils().randomString(3);
+  var evilHttp = "http://" + api().utilities().randomUtils().randomString(6) + "." + api().utilities().randomUtils().randomString(3);
+
+  for (var origin : new String[]{evilHttps, evilHttp})
+  {
+      var rr = http.sendRequest(requestResponse.request().withAddedHeader("Origin", origin));
+      if (!rr.hasResponse())
+      {
+          continue;
+      }
+
+      var headers = rr.response().headers().toString().toLowerCase();
+      var creds = headers.contains("access-control-allow-credentials: true");
+      var reflect = headers.contains("access-control-allow-origin: " + origin.toLowerCase());
+      var vary = headers.contains("vary: origin");
+
+      if (reflect)
+      {
+          var severity = creds ? AuditIssueSeverity.HIGH : AuditIssueSeverity.MEDIUM;
+          var note = vary ? "" : " (missing Vary: Origin)";
+          return AuditResult.auditResult(
+                  AuditIssue.auditIssue(
+                          "CORS: arbitrary origin reflection" + note,
+                          "Reflected Origin: " + origin + "; credentials=" + creds,
+                          "Use strict allowlist; include Vary: Origin.",
+                          rr.request().url(),
+                          severity,
+                          AuditIssueConfidence.FIRM,
+                          "",
+                          "",
+                          severity,
+                          rr
+                  )
+          );
+      }
+  }
+
+  return AuditResult.auditResult();
