The CORS Scanner — cors MCP tool — tests Access-Control-Allow-Origin and Access-Control-Allow-Credentials behaviour with 9 origin probes designed to catch every common misconfiguration.
The built-in scanner has a passive CORS check that flags wildcard ACAO with credentials. The cors scanner is the active counterpart — actively probes the endpoint with crafted Origin headers to confirm exploitability.
🔗Origin Probes
The scanner sends a series of requests to the target, each with a different Origin header, and inspects the response. The actual probe set (per cors.rs):
| Probe | Origin sent | What it tests |
|---|---|---|
| null_origin | null | Some servers reflect literal null, exploitable via sandboxed iframes / data: schemes |
| arbitrary_origin | https://evil.com | Server reflects an arbitrary origin → full bypass |
| subdomain | https://subdomain.<host> | Subdomain trust where you can register a subdomain |
| prefix_match | https://<host>.evil.com | Naive prefix matching (startsWith("<host>")) |
| suffix_match | https://evil<host> | Naive suffix matching |
| backtick_bypass | <target> + %60evil.com | Backtick character bypass |
| underscore_bypass | https://<host>_.evil.com | Underscore-based parser bypass |
| same_origin | <target_origin> | Baseline |
A custom origin can be added on top via the request params (origin: "...").
For each probe, the scanner records:
- ACAO header in response (if present)
- ACAC header (Access-Control-Allow-Credentials)
- Response body shape (size, status)
- Whether the response includes sensitive content (auth cookies, CSRF tokens, etc.)
🔗Verdict per Probe
- Vulnerable — origin reflected + ACAC=true + sensitive response content (cookie/auth data)
- Risky — origin reflected without credentials, or ACAC=true with no sensitive content
- Safe — origin not reflected, or restricted to allowed list
🔗Pre-flight Test
For each probe, the scanner also sends an OPTIONS preflight to check Access-Control-Allow-Methods and Access-Control-Allow-Headers. Permissive responses to preflights are flagged separately (CORS preflight bypass enables wider attacks).
🔗Running a Scan
From the Scanner view:
- Select an endpoint to test (or multi-select)
- Run CORS action
- View the per-probe results table
- Click any vulnerable row to see the full request + response with the offending Origin header highlighted
🔗Workflow Integration
- Right-click any flow in Logger → Scan for CORS runs a focused 9-probe scan
- From Sitemap → right-click any host → Scan All Endpoints for CORS
- From a Crawl — auto-trigger CORS scan on every captured endpoint via a Workflow
🔗Findings Output
Vulnerable probes auto-create findings with:
- Severity High (CORS reflection + credentials with sensitive content)
- Severity Medium (reflection without credentials, or wildcards on sensitive endpoints)
- CWE-942 (Permissive Cross-domain Policy with Untrusted Domains)
- Evidence: the probe request + response showing reflection
- Suggested PoC HTML for the report (auto-generated)
🔗MCP
The cors MCP tool exposes:
scan— full 9-probe scan against a URLscan_flow— scan based on a captured flowtechniques— list available probe techniques
🔗Tips
- Test authenticated endpoints. CORS misconfigurations matter when there’s something worth stealing — auth cookies, account data. An unauthenticated public endpoint with permissive CORS is rarely a finding.
- Always include preflight results. Some apps lock down GET/POST origins but allow arbitrary methods on preflight, which is exploitable for state-changing requests.
- Combine with cookie inspection. A CORS misconfig + a
Set-CookiewithoutSameSite=Noneis often a non-finding because the cookie won’t be sent. Check the cookie posture in Cookie Jar.