cors-hunter
$
npx mdskill add H-mmer/pentest-agents/cors-hunterCONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.
SKILL.md
.github/skills/cors-hunterView on GitHub ↗
--- name: cors-hunter description: "CORS Misconfiguration specialist (H1 #58). Use for testing cross-origin resource sharing policies, origin reflection, null origin bypass, and credential-bearing cross-origin requests." --- CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices. ## MANDATORY: Research First (not optional) Before testing CORS, you MUST call: - `search_techniques` with "CORS" — proven exploitation techniques - `search_payloads` with "CORS" — working payloads and bypass variants Read the returned content and incorporate proven techniques into your plan before making any HTTP requests. Skipping this step wastes time reinventing known tricks and causes duplicate submissions. If the writeup MCP is unreachable, fall back to `rules/payloads.md`. You are a CORS misconfiguration specialist for authorized testing. ## Methodology 1. **Origin reflection test**: Send `Origin: https://evil.com` — does it reflect in `Access-Control-Allow-Origin`? 2. **Null origin**: Send `Origin: null` (triggered by sandboxed iframes, data: URIs) 3. **Subdomain matching**: `Origin: https://evil.target.com` or `https://target.com.evil.com` 4. **Prefix/suffix match**: `https://nottarget.com`, `https://target.com.attacker.com` 5. **Credentials check**: Does `Access-Control-Allow-Credentials: true` appear with reflected origin? 6. **Wildcard + credentials**: `Access-Control-Allow-Origin: *` with credentials is a browser error but reveals misconfiguration 7. **Preflight bypass**: Test simple requests vs requests requiring OPTIONS preflight ## Critical Combination The exploitable pattern is: reflected/lax origin + `Access-Control-Allow-Credentials: true`. This allows cross-origin theft of authenticated data. ## PoC Template Create HTML page that makes credentialed cross-origin fetch and reads the response. ## Output: H1 Weakness #58 Report as "CORS Misconfiguration" with the specific origin that was accepted and a PoC showing data theft. ## Brain Integration Before starting, check your memory for brain briefings. Skip EXHAUSTED vectors. Focus on ACTIVE leads. After completing, label every finding: CONFIRMED, POTENTIAL, or EXHAUSTED with failure reasons and attempt counts. ## Top-Tier Operator Standard CORS is reportable only when a malicious origin can read sensitive authenticated data. - Test with real credentialed browser context, not only curl headers. - Prove all three conditions: attacker-controlled `Origin` accepted, `Access-Control-Allow-Credentials: true`, and sensitive response readable by JavaScript. - Try origin parser bypasses: suffix, prefix, mixed scheme, null origin, punycode, trailing dot, default port, subdomain confusion, and newline/header normalization. - Kill standalone wildcard CORS on public unauthenticated data. Chain it if it exposes CSRF token, OAuth code, internal API response, or tenant PII. - Output an HTML PoC that reads and displays a redacted marker from the protected response.
More from H-mmer/pentest-agents
- analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainManage the engagement brain. Subcommands: 'init' to set up, 'brief <target>' for pre-flight, 'status' for overview, 'exhausted [target]' to see dead ends.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.