SkillAgentSearch skills...

CorsOne

CorsOne - CORS Misconfiguration Discovery Tool

GenerateConvertImprove

Install / Use

/learn @omranisecurity/CorsOne
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<h1 align="center"> CorsOne </h1> <h4 align="center">Fast CORS Misconfiguration Discovery Tool.</h4> <p align="center"> <a href="https://github.com/omranisecurity/CorsOne/issues"><img src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat"></a> <a href="https://github.com/omranisecurity/CorsOne/releases"><img src="https://img.shields.io/badge/release-v0.9.8-blue"></a> <a href="https://twitter.com/omranisecurity"><img src="https://img.shields.io/twitter/follow/omranisecurity?logo=twitter"></a> </p> <p align="center"> <a href="#features">Features</a> • <a href="#install">Install</a> • <a href="#usage">Usage</a> • <a href="#examples">Examples</a> </p>

CorsOne CorsOne is a tool designed to quickly and easily detect CORS misconfiguration, compensating for the shortcomings of other tools and providing automatic testing for all relevant cases.

Features

  • Accurate and fast diagnosis of CORS Misconfiguration vulnerability
  • STDIN support enables easy integration with other tools or your own methodology

Install

🐳 Run with Docker

You can use the official Docker image of this tool without installing any dependencies:

1. Pull the image from DockerHub

docker pull omranisecurity/corsone:latest

2. Run the tool with Docker

docker run --rm omranisecurity/corsone:latest -u https://example.com/

🛠️ Manual Installation (Python)

If you prefer to install and run the tool manually:

1. Create a Virtual Environment

python3 -m venv env-corsone

2. Activate the Virtual Environment

On macOS/Linux:

source env-corsone/bin/activate

On Windows:

env-corsone\Scripts\activate

3. Clone the Repository:

git clone https://github.com/omranisecurity/CorsOne.git
cd CorsOne
python3 -m pip install -r requirements.txt

4. Exit the Virtual Environment (when done):

deactivate
  • Create a Virtual Environment
python3 -m venv env-corsone
  • Activate the Virtual Environment

On macOS/Linux:

source env-corsone/bin/activate

On Windows:

env-corsone\Scripts\activate
  • Clone the Repository:
git clone https://github.com/omranisecurity/CorsOne.git
cd CorsOne
python3 -m pip install -r requirements.txt
  • Exit the Virtual Environment (when done):
deactivate

Usage

python3 CorsOne [-h] [-u URL] [-l LIST] [-sof] [-ch CUSTOM_HEADERS] [-rl RATE_LIMIT] [-m {GET,POST}] [-p PROXY] [-s] [-v] [-nc] [-o OUTPUT]

This will display help for the tool. Here are all the switches it supports.


Usage:
  python3 CorsOne.py [flags]

Flags:
INPUT:
  -u, --url                  input target url to probe
  -l, --list                 input file list of URLs

Config:
  -sof,  --stop-on-first     stop testing after finding the first vulnerability
  -ch, --custom-headers      custom header to include in all http request in header:value format. -ch "header1: value1\nheader2: value2"
  -rl,  --rate-limit         maximum requests to send per second
  -m, --method               HTTP method for the request
  -p,  --proxy               SOCKS Proxy to use (eg -p "socks5://127.0.0.1:6060")

OUTPUT:
  -o, --output string        file to write output to

DEBUG:
  -s, --silent               show only result in output
  -v, --version              show version of CorsOne
  -nc, --no-color            disable color in output

Examples

  • To check CORS misconfigurations for a specific domain:

python3 CorsOne.py -u https://example.com/

  • To check CORS misconfigurations for a list of domains:

cat urls.txt | python3 CorsOne.py

or

python3 CorsOne.py -l list.txt

  • Stop after finding the first CORS vulnerability:

python3 CorsOne.py -u https://example.com/ -sof

  • Check CORS misconfigurations with custom headers:

python3 CorsOne.py -u https://example.com/ -ch "Cookie: name=value;\nAccept-Encoding: gzip, deflate, br"

  • Check CORS misconfigurations with rate limit:

python3 CorsOne.py -u https://example.com/ -rl 5

  • Check CORS misconfigurations with a custom HTTP method (default GET):

python3 CorsOne.py -u https://example.com/ -m POST

  • Check CORS misconfigurations using a proxy:

python3 CorsOne.py -u https://example.com/ -p "socks5://ip:port/"

  • Save scan results to a file using -o:

python3 CorsOne.py -u https://example.com/ -o output_filename.txt

Acknowledgment

  • Thanks to <a href="https://book.hacktricks.xyz/pentesting-web/cors-bypass">hacktricks.xyz</a> for sharing the resources.
  • Thanks to <a href="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet">PortSwigger and the security researchers</a> for providing and collecting the test cases.

Related Skills

node-connect

336.9k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

claude-opus-4-5-migration

83.0k

Migrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5

frontend-design

83.0k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

model-usage

336.9k

Use CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.

omranisecurity

View profile

View on GitHub
GitHub Stars27
CategoryDevelopment
Updated5d ago
Forks4
omranisecurity/CorsOne

Languages

Python

Security Score

95/100

Audited on Mar 20, 2026

No findings