Merge pull request #33 from s0md3v/hotfix

HOTFIX
s0md3v · Jan 28, 2021 · 06f4d4a · 06f4d4a
2 parents 35d18e9 + de9aff1
commit 06f4d4a
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 24 deletions.
diff --git a/core/requester.py b/core/requester.py
@@ -8,7 +8,7 @@
 # Added verbose options.
 
 def requester(url, scheme, headers, origin):
-    headers['Origin'] = scheme + origin
+    headers['Origin'] = origin
     try:
         response = requests.get(url, headers=headers, verify=False).headers
         for key, value in response.items():
@@ -19,3 +19,4 @@ def requester(url, scheme, headers, origin):
             print ('%s %s is unreachable' % (bad, url))
         elif 'requests.exceptions.TooManyRedirects:' in str(e):
         	print ('%s %s has too many redirects' % (bad, url))
+    return {}
diff --git a/core/tests.py b/core/tests.py
@@ -8,7 +8,7 @@
 
 def passive_tests(url, headers):
     root = host(url)
-    acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
+    acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
     if acao_header == '*':
         info = details['wildcard value']
         info['acao header'] = acao_header
@@ -23,10 +23,12 @@ def passive_tests(url, headers):
 
 
 def active_tests(url, root, scheme, header_dict, delay):
-    headers = requester(url, scheme, header_dict, 'example.com')
+    origin = scheme + '://' + root
+    headers = requester(url, scheme, header_dict, origin)
     if headers:
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
-        if acao_header and acao_header == (scheme + 'example.com'):
+        origin = root + '://' + 'example.com'
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
+        if acao_header and acao_header == (origin):
             info = details['origin reflected']
             info['acao header'] = acao_header
             info['acac header'] = acac_header
@@ -35,44 +37,49 @@ def active_tests(url, root, scheme, header_dict, delay):
             return
         time.sleep(delay)
 
-        headers = requester(url, scheme, header_dict, root + '.example.com')
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
-        if acao_header and acao_header == (scheme + root + '.example.com'):
+        origin = scheme + '://' + root + '.example.com'
+        headers = requester(url, scheme, header_dict, origin)
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
+        if acao_header and acao_header == (origin):
             info = details['post-domain wildcard']
             info['acao header'] = acao_header
             info['acac header'] = acac_header
             return {url : info}
         time.sleep(delay)
 
-        headers = requester(url, scheme, header_dict, 'd3v' + root)
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
-        if acao_header and acao_header == (scheme + 'd3v' + root):
+        origin = scheme + '://d3v' + root
+        headers = requester(url, scheme, header_dict, origin)
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
+        if acao_header and acao_header == (origin):
             info = details['pre-domain wildcard']
             info['acao header'] = acao_header
             info['acac header'] = acac_header
             return {url : info}
         time.sleep(delay)
 
-        headers = requester(url, '', header_dict, 'null')
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
+        origin = 'null'
+        headers = requester(url, '', header_dict, origin)
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
         if acao_header and acao_header == 'null':
             info = details['null origin allowed']
             info['acao header'] = acao_header
             info['acac header'] = acac_header
             return {url : info}
         time.sleep(delay)
 
-        headers = requester(url, scheme, header_dict, root + '_.example.com')
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
-        if acao_header and '_.example.com' in acao_header:
+        origin = scheme + '://' + root + '_.example.com'
+        headers = requester(url, scheme, header_dict, origin)
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
+        if acao_header and acao_header == origin:
             info = details['unrecognized underscore']
             info['acao header'] = acao_header
             info['acac header'] = acac_header
             return {url : info}
         time.sleep(delay)
 
-        headers = requester(url, scheme, header_dict, root + '%60.example.com')
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
+        origin = scheme + '://' + root + '%60.example.com'
+        headers = requester(url, scheme, header_dict, origin)
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
         if acao_header and '`.example.com' in acao_header:
             info = details['broken parser']
             info['acao header'] = acao_header
@@ -81,17 +88,18 @@ def active_tests(url, root, scheme, header_dict, delay):
         time.sleep(delay)
 
         if root.count('.') > 1:
-            spoofed_root = root.replace('.', 'x', 1)
-            headers = requester(url, scheme, header_dict, spoofed_root)
-            acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
-            if acao_header and host(acao_header) == spoofed_root:
+            origin = scheme + '://' + root.replace('.', 'x', 1)
+            headers = requester(url, scheme, header_dict, origin)
+            acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
+            if acao_header and acao_header == origin:
                 info = details['unescaped regex']
                 info['acao header'] = acao_header
                 info['acac header'] = acac_header
                 return {url : info}
             time.sleep(delay)
-        headers = requester(url, 'http', header_dict, root)
-        acao_header, acac_header = headers['access-control-allow-origin'], headers.get('access-control-allow-credentials', None)
+        origin = 'http://' + root
+        headers = requester(url, 'http', header_dict, origin)
+        acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
         if acao_header and acao_header.startswith('http://'):
             info = details['http origin allowed']
             info['acao header'] = acao_header