원클릭으로
sc-cors
CORS misconfiguration detection — wildcard origin, reflected origin, null origin, and credential leaks
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
CORS misconfiguration detection — wildcard origin, reflected origin, null origin, and credential leaks
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-cors |
| description | CORS misconfiguration detection — wildcard origin, reflected origin, null origin, and credential leaks |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-origin access to sensitive APIs. Covers wildcard origins with credentials, reflected origin without validation, null origin allowance, overly permissive regex matching, and subdomain matching bypasses.
Called by sc-orchestrator during Phase 2 when HTTP APIs are detected.
"Access-Control-Allow-Origin", "cors(", "CORS(",
"allowOrigin", "allow_origin", "AllowOrigin",
"Access-Control-Allow-Credentials",
"corsOptions", "cors_allowed_origins"
1. Wildcard with Credentials:
// VULNERABLE: Wildcard + credentials (browsers block this but misconfiguration indicates intent)
app.use(cors({
origin: '*',
credentials: true // This combination is a security anti-pattern
}));
2. Reflected Origin:
// VULNERABLE: Reflects any origin
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');
next();
});
// SAFE: Allowlist
const ALLOWED_ORIGINS = ['https://app.example.com', 'https://admin.example.com'];
app.use(cors({
origin: (origin, callback) => {
if (!origin || ALLOWED_ORIGINS.includes(origin)) {
callback(null, true);
} else {
callback(new Error('CORS not allowed'));
}
},
credentials: true
}));
3. Null Origin Allowed:
# VULNERABLE: Allows null origin (exploitable via sandboxed iframe)
CORS_ALLOWED_ORIGINS = ['null'] # Attackers can send Origin: null
4. Regex Bypass:
// VULNERABLE: Weak regex allows subdomain takeover attack
origin: /\.example\.com$/ // Matches evil-example.com too!
// SAFE: Anchor regex properly
origin: /^https:\/\/([a-z]+\.)?example\.com$/
** on static files is standard practicelocalhost origins in dev config