The tool currently scans for pre/post/sub-domain misconfigurations if the request you supply already has an Origin header, but this means you need to supply a cross-origin domain to begin with. If the site (e.g. Vulnerable.com) is already making CORS requests (Origin: sistersite.com), they'll just use that. If the site isn't already making CORS requests, it's likely a tester will just include their own domain as a basic test and let the tool do the work (e.g. Origin: attacker.com).
However, since you're basing the pre/post/sub-domain misconfig checks on the Origin header that was supplied, it's possible you're missing some test cases. For example, if we assume the site is configured to respond with CORS headers for the origin sistersite.com and *vulnerable.com, we won't detect the second misconfiguration.
My suggestion is to also add pre/post/sub-domain misconfig checks using the site's Host header. I don't mean modifying the Host header here, as like you said this would be a separate tool. Instead I'm just recommending that the tool constructs new Origin headers, using the original Host header as test cases.
For example:
GET /api/example HTTP/1.1
Host: vulnerable.com
Origin: sistersite.com
Connection: close
The tool currently scans for pre/post/sub-domain misconfigurations if the request you supply already has an
Origin
header, but this means you need to supply a cross-origin domain to begin with. If the site (e.g.Vulnerable.com
) is already making CORS requests (Origin: sistersite.com
), they'll just use that. If the site isn't already making CORS requests, it's likely a tester will just include their own domain as a basic test and let the tool do the work (e.g.Origin: attacker.com
).However, since you're basing the pre/post/sub-domain misconfig checks on the
Origin
header that was supplied, it's possible you're missing some test cases. For example, if we assume the site is configured to respond with CORS headers for the originsistersite.com
and*vulnerable.com
, we won't detect the second misconfiguration.My suggestion is to also add pre/post/sub-domain misconfig checks using the site's
Host
header. I don't mean modifying theHost
header here, as like you said this would be a separate tool. Instead I'm just recommending that the tool constructs newOrigin
headers, using the originalHost
header as test cases.For example:
Existing Test cases:
Test cases to be added: