CorsMe — Exploitation | Tools

Description

CorsMe is a fast CORS misconfiguration scanner written in Go. It checks for multiple CORS misconfiguration types including reflected origin, null origin acceptance, wildcard with credentials, and subdomain prefix/suffix bypass techniques.

Installation

BASH

go install github.com/Shivangx01b/CorsMe@latest

Basic Usage

BASH

                            # Scan single URL
CorsMe -u https://target.com

# Scan from file
CorsMe -l urls.txt
                        

Advanced Usage

                        BASH
                        
                            # Custom threads
CorsMe -l urls.txt -t 30

# Verbose output
CorsMe -l urls.txt -v

# Output to file
CorsMe -l urls.txt -o results.txt

Common Workflows

                        BASH
                        
                            # Pipeline from subdomain enum
subfinder -d target.com -silent | httpx -silent | CorsMe -l /dev/stdin

# Focus on API endpoints
gau target.com | grep -i "api" | sort -u | CorsMe -l /dev/stdin -t 20