david leonard

2026-04-26

CORS-misconfiguration-scanner

A custom Python script to search for misconfigured CORS headers.

blog, tools

Description of Tool

This is a hand written python script that will sort through a GET request to a URL, and check for vulnerabilities due to misconfiguration of CORS. Not AI slop, this is hand written code, produced by a human.

How it Works

It all begins by requesting a valid URL from the user. This URL is then parsed to determine whether or not it is valid. This was a lot easier than I thought it would be, Python has a built in urlparse() function. This split the URL up into multiple managable parts that I could run simple tests on.

Once the URL is validated, the program prepares a GET request with a spoofed evil URL. The response is parsed and saved in a dictionary. The dictionary is a lot better than having a ton of independent variables, because it makes it a whole lot easier to pass everything between separate functions.

Then for the results I print the responses with formatted print functions. I had to learn how to do this so the output would be readable and not massive chunks of text. print(f"{'Allow Origin':<25}: + corsHeaders["allowOrigin"]) The syntax was a little weird to figure out, but it was worth it.

Final I compare the responses to some dangerous CORS combos that I manually set. If any of these combos are detected the program will output an alert with a small description of what it is and why it is a problem.

What Did I Learn?

  • Basic Python — basic python syntax, virtual development environments, and using libraries
  • Creating Blogs — I learned how to share my work through this blog and linkedin
  • Git CLI — learned how to use the git commands to save my work to a public repo for others to use
  • Web Headers - I now better understand web headers and how the different types of requests work
  • Development is Fun - with AI everywhere, more and more people are being reliant on prompts rather than actually developing tools themselves. Don't get me wrong AI has its uses, it is incredible; however, I had a lot of fun and learned a lot by creating this program myself without any AI assistance at all.

Why Write About it?

Writing forces me to actually understand something. If I can't explain it, I don't understand it well enough. This blog is as much for me as it is for anyone else who stumbles across it.

Setup

This site is built with Next.js, written in TypeScript, and styled with plain CSS. Posts are Markdown files in the repo — nothing fancy, easy to maintain.

More posts coming soon.

← back to blog