mg-cors-exploit

Purpose

Tests endpoints from recon/summary.json for CORS misconfigurations using four attack variants: origin reflection, null-origin, subdomain bypass, and pre-domain bypass. A finding is “Exploitable” when credentials are allowed in a reflected response; MEDIUM when the origin is reflected without credentials. Concurrency is bounded via JoinSet.

Output

• cors/results-<timestamp>.json — per-endpoint findings with variant, reflected origin, ACAO header value, and severity.

CLI

mg-cors-exploit acme-bounty
mg-cors-exploit acme-bounty --concurrency 20

Notes

• Reads endpoints from recon/summary.json; run mg-recon first.
• “Exploitable” requires both Access-Control-Allow-Origin reflection and Access-Control-Allow-Credentials: true.
• Null-origin test sends Origin: null; useful against misconfigured sandboxed iframe policies.
• Related: mg-crawl for deeper endpoint coverage.