Top Related Projects
A simple, yet elegant, HTTP library.
The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
FastAPI framework, high performance, easy to learn, fast to code, ready for production
A next generation HTTP client for Python. 🦋
Asynchronous HTTP client/server framework for asyncio and Python
Quick Overview
Corsy is an open-source tool designed to scan for Cross-Origin Resource Sharing (CORS) misconfigurations in web applications. It helps security researchers and developers identify potential vulnerabilities related to CORS policies, which could lead to unauthorized access to sensitive data.
Pros
- Easy to use and integrate into existing security workflows
- Provides detailed reports on CORS misconfigurations
- Supports multiple input formats, including single URLs and file lists
- Customizable with various options for fine-tuning scans
Cons
- Limited to CORS-specific vulnerabilities, not a comprehensive security scanner
- May produce false positives in some cases, requiring manual verification
- Requires Python knowledge for advanced usage and customization
- Documentation could be more extensive for some features
Getting Started
To get started with Corsy, follow these steps:
-
Clone the repository:
git clone https://github.com/s0md3v/Corsy.git
-
Install the required dependencies:
cd Corsy pip install -r requirements.txt
-
Run Corsy with a target URL:
python3 corsy.py -u https://example.com
For more advanced usage and options, refer to the project's README file on GitHub.
Competitor Comparisons
A simple, yet elegant, HTTP library.
Pros of Requests
- Widely adopted and well-maintained HTTP library for Python
- Extensive documentation and large community support
- Supports a wide range of HTTP methods and features
Cons of Requests
- Not specifically designed for CORS testing
- Requires additional code to perform CORS-specific checks
- May be overkill for simple CORS testing scenarios
Code Comparison
Requests:
import requests
response = requests.get('https://api.example.com')
print(response.headers.get('Access-Control-Allow-Origin'))
Corsy:
from corsy import CORS
cors = CORS('https://api.example.com')
cors.scan()
print(cors.results)
Key Differences
- Requests is a general-purpose HTTP library, while Corsy is specifically designed for CORS testing
- Corsy provides built-in CORS scanning functionality, whereas Requests requires custom implementation
- Requests offers more flexibility for various HTTP operations, but Corsy is more focused on CORS-related tasks
Use Cases
- Choose Requests for general HTTP operations and when you need a versatile library
- Opt for Corsy when specifically focusing on CORS testing and analysis
Community and Support
- Requests has a larger user base and more frequent updates
- Corsy is a smaller project with a more specialized focus on CORS
The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
Pros of Insomnia
- Full-featured GUI application for API development and testing
- Supports a wide range of protocols and authentication methods
- Extensive plugin ecosystem for customization and integration
Cons of Insomnia
- Larger resource footprint due to being a desktop application
- Steeper learning curve for users new to API development tools
- Less focused on specific security testing features
Code Comparison
Corsy (Python):
def cors(url):
response = requester(url, headers={'Origin': 'https://example.com'})
if 'Access-Control-Allow-Origin' in response.headers:
return True
return False
Insomnia (JavaScript):
const response = await insomnia.send(request);
const headers = response.headers;
if (headers['access-control-allow-origin']) {
console.log('CORS is enabled');
}
Summary
Corsy is a lightweight, command-line tool specifically designed for CORS misconfiguration testing, while Insomnia is a comprehensive API development and testing platform with a graphical interface. Corsy offers simplicity and focus on CORS issues, whereas Insomnia provides a broader set of features for general API work but may require more resources and setup time.
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
Pros of Postman App Support
- Extensive documentation and user guides for the Postman API development platform
- Active community support with frequent updates and issue resolutions
- Comprehensive feature set for API testing, documentation, and collaboration
Cons of Postman App Support
- Larger codebase and more complex setup compared to Corsy
- Primarily focused on supporting the Postman application, not a standalone tool
- May have a steeper learning curve for beginners
Code Comparison
Corsy (CORS misconfiguration scanner):
def scan(url, method, headers, body, cookie):
response = requester(url, method, headers, body, cookie)
if 'Access-Control-Allow-Origin' in response.headers:
return True
return False
Postman App Support (API request example):
pm.sendRequest({
url: "https://api.example.com/data",
method: "GET",
header: {
"Content-Type": "application/json"
}
}, function (err, response) {
console.log(response.json());
});
While Corsy focuses on CORS misconfiguration scanning, Postman App Support provides a broader set of tools for API development and testing. Corsy is more specialized and lightweight, while Postman offers a more comprehensive solution for API-related tasks.
FastAPI framework, high performance, easy to learn, fast to code, ready for production
Pros of FastAPI
- Comprehensive web framework for building APIs with Python
- Extensive documentation and large, active community
- High performance due to asynchronous capabilities
Cons of FastAPI
- Larger codebase and steeper learning curve
- May be overkill for simple API projects
- Requires more setup and configuration
Code Comparison
FastAPI example:
from fastapi import FastAPI
app = FastAPI()
@app.get("/")
async def root():
return {"message": "Hello World"}
Corsy example:
import corsy
@corsy.route('/')
def index():
return 'Hello, World!'
corsy.run()
Summary
FastAPI is a full-featured web framework for building APIs, offering extensive functionality and performance optimizations. It's well-suited for large-scale projects but may be excessive for simpler applications. Corsy, on the other hand, is a lightweight CORS misconfiguration scanning tool, focused on a specific security aspect rather than general API development. The choice between the two depends on the project's requirements and scope.
A next generation HTTP client for Python. 🦋
Pros of httpx
- More comprehensive HTTP client library with support for both sync and async operations
- Actively maintained with frequent updates and a larger community
- Extensive feature set including HTTP/2, WebSocket support, and automatic retries
Cons of httpx
- Larger and more complex library, potentially overkill for simple CORS testing
- Not specifically focused on CORS testing, requiring additional configuration for such tasks
- Steeper learning curve for users primarily interested in CORS-related functionality
Code comparison
Corsy (CORS testing):
def test_cors(url):
headers = {'Origin': 'https://example.com'}
response = requests.options(url, headers=headers)
return response.headers.get('Access-Control-Allow-Origin')
httpx (general HTTP request):
async with httpx.AsyncClient() as client:
response = await client.options(url, headers={'Origin': 'https://example.com'})
return response.headers.get('Access-Control-Allow-Origin')
Summary
Corsy is a specialized tool for CORS testing, while httpx is a more general-purpose HTTP client library. Corsy offers simplicity and focus for CORS-specific tasks, whereas httpx provides a broader range of features and flexibility for various HTTP-related operations. The choice between them depends on the specific requirements of the project and the depth of HTTP functionality needed.
Asynchronous HTTP client/server framework for asyncio and Python
Pros of aiohttp
- Comprehensive asynchronous HTTP client/server framework for Python
- Widely adopted with extensive documentation and community support
- Supports both client and server-side functionality
Cons of aiohttp
- Steeper learning curve, especially for developers new to asynchronous programming
- More complex setup and configuration compared to simpler CORS testing tools
Code comparison
aiohttp (client-side request):
async with aiohttp.ClientSession() as session:
async with session.get('http://example.com') as response:
html = await response.text()
Corsy (CORS misconfiguration check):
from corsy import check
result = check('http://example.com')
print(result)
Summary
aiohttp is a full-featured asynchronous HTTP framework for Python, offering both client and server capabilities. It's well-suited for building scalable web applications and services. Corsy, on the other hand, is a specialized tool for detecting CORS misconfigurations and security issues.
While aiohttp provides more flexibility and power for general HTTP operations, Corsy offers a simpler, focused approach for CORS-specific testing. Developers should choose based on their specific needs: comprehensive HTTP functionality (aiohttp) or targeted CORS security analysis (Corsy).
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Corsy
CORS Misconfiguration Scanner
Introduction
Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
Requirements
Corsy only works with Python 3
and has just one dependency:
requests
To install this dependency, navigate to Corsy directory and execute pip3 install requests
Usage
Using Corsy is pretty simple
python3 corsy.py -u https://example.com
Scan URLs from a file
python3 corsy.py -i /path/urls.txt
Scan URLs from stdin
cat urls.txt | python3 corsy.py
Number of threads
python3 corsy.py -u https://example.com -t 20
Delay between requests
python3 corsy.py -u https://example.com -d 2
Export results to JSON
python3 corsy.py -i /path/urls.txt -o /path/output.json
Custom HTTP headers
python3 corsy.py -u https://example.com --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"
Skip printing tips
-q
can be used to skip printing of description
, severity
, exploitation
fields in the output.
Tests implemented
- Pre-domain bypass
- Post-domain bypass
- Backtick bypass
- Null origin bypass
- Unescaped dot bypass
- Underscore bypass
- Invalid value
- Wild card value
- Origin reflection test
- Third party allowance test
- HTTP allowance test
Top Related Projects
A simple, yet elegant, HTTP library.
The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
FastAPI framework, high performance, easy to learn, fast to code, ready for production
A next generation HTTP client for Python. 🦋
Asynchronous HTTP client/server framework for asyncio and Python
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot