Tool that finds CORS misconfigurations.

go install github.com/wfinn/[email protected]

$ echo https://target.tld/endpoint | ucors
$ cat urls.txt | ucors -c session=xyz123
Url: https://target.tld/endpoint Origin: null ACAC: true

Many bypasses only work in Safari.



Create a list of urls to check, (grab a valid session cookie) and start ucors to find some bypasses. Ideally you prepare a list of all endpoints returning interesting data.

Below is an example output, you see the url, the payload that worked and if cookies are allowed

$ cat urls.txt | ucors -c session=xyz123
Url: https://target.tld/profile/private-data.json Origin: https://subdomain.target.tld&evil.com ACAC: true
Url: https://sub.target.tld/getSensitiveInfo Origin: null ACAC: true


  • -p to only print the generated bypasses and not make any requests
  • -d evil.com to set the attacker domain
  • -s to skip the url after finding a bypass
  • -c abc=XYZ to set cookies
  • -a “Bearer: abcXYZ” to set the Authorization header




View Github