CORS-Scanner
CORS-Scanner CORS-Scanner is the automated tester that probes endpoints for lax CORS policies, flagging wildcard origins or credential exposures with payload simulations for real-world abuse potential. Run its Python script on scopes, customizing origins for targeted checks, and export reports for remediation. Open-source from s0md3v, it's the origin oracle for pentesters uncovering misconfigs that open doors to CSRF or data leaks.
Explore →cors-checker
cors-checker cors-checker is the CLI validator that sends OPTIONS requests to verify CORS headers like Access-Control-Allow-Origin, alerting on overly permissive rules or missing preflight handling. Configure via YAML for batch domains, scripting outputs for CI scans on deployments. Open-source from community, it's the preflight patroller for devs enforcing strict origin policies in header audits.
Explore →nuclei-cors-templates
nuclei-cors-templates nuclei-cors-templates uses YAML rules to fuzz CORS configs, detecting wildcard allowances or credential leaks with simulated requests for scalable web security scans. Clone the template pack, run via Nuclei CLI on targets, and prioritize hits by severity in JSON logs. Open-source from projectdiscovery, it's the rule-based ranger for analysts templating CORS vuln hunts across fleets.
Explore →cors-fuzzer
cors-fuzzer cors-fuzzer is the mutation engine that blasts origins and methods against endpoints, exposing reflection vulns or policy bypasses with response analysis for misconfig mapping. Script its Go binary with custom payloads, filtering for allowed origins in outputs. Open-source from community, it's the origin offender for pentesters stress-testing CORS with diverse inputs.
Explore →zap-cors-addon
zap-cors-addon zap-cors-addon is the OWASP ZAP extension for passive/active CORS checks, scanning headers during proxy sessions to flag unsafe Allow-Origin or credential modes with rule-based alerts. Install via ZAP marketplace, proxy traffic, and review findings in the alerts tab for fixes. Open-source from zaproxy, it's the inline inspector for web pentesters monitoring CORS in real-time flows.
Explore →cors-policy-tester
cors-policy-tester cors-policy-tester is the Python framework for simulating CORS requests, testing preflight OPTIONS and credentialed fetches to validate policy enforcement against OWASP guidelines. Define scenarios in YAML, execute via CLI for detailed logs on failures. Open-source from security-research, it's the policy prosecutor for analysts simulating attacks on header configs.
Explore →http-cors-check
http-cors-check http-cors-check is the lightweight Go tool for OPTIONS probing, extracting and scoring CORS headers like Vary: Origin for reflection risks in automated site audits. Run on lists of endpoints, outputting CSV for dashboards with compliance grades. Open-source from elastic, it's the header hound for security teams templating CORS validations in scans.
Explore →cors-validator
cors-validator cors-validator is the Node.js lib for runtime header validation, enforcing strict origins and methods in Express/Next.js apps with middleware for preflight handling audits. Integrate into tests, mocking requests for simulated checks on policies. Open-source from community, it's the middleware monitor for devs debugging CORS in app layers.
Explore →burp-cors-extension
burp-cors-extension burp-cors-extension is the Burp Suite plugin for active CORS fuzzing, injecting origins and headers to test policy reflections or credential leaks during Intruder attacks. Load in Burp, select requests, and mutate with payloads for response diffs. Open-source from PortSwigger, it's the extension enforcer for pentesters probing CORS weaknesses inline.
Explore →cors-audit-tool