recon-ng icon indicating copy to clipboard operation
recon-ng copied to clipboard
verified publisher icon lanmaster53

Cross-origin Resource Sharing is not supported by the API provided by recon-web.

Open chqr1y opened this issue 5 years ago • 4 comments

The CORS policy blocks requests to the recon-web API (like http://127.0.0.1:5000/api/workspaces) made from the JavaScript context of a web page in firefox or chrome. This behavior prevents the use of the API from a JavaScript web application.

I have tested with recon-ng 5.1.1, firefox 68.7.0esr and chromium 81.0.4044.92.

chqr1y avatar May 08 '20 17:05 chqr1y

Confirmed.

Is this a show-stopper for something you are working on?

lanmaster53 avatar Jun 08 '20 03:06 lanmaster53

It's not a show-stopper for me (I have patched the core for my project). Do you want me to work on a fix?

chqr1y avatar Jun 08 '20 04:06 chqr1y

Sure. It should be pretty easy. I've developed several Flask apps that use the Flask-CORS extension. The default configuration is vulnerable to arbitrary origin reflection, but for this app, which isn't intended to be used outside of localhost, that shouldn't be an issue. I suppose Recon-web could always be invoked with a --origin argument that it uses to whitelist the origin. Just an idea.

On a side note, what is this project you're working on? I've not talked to anyone using the API at this point, but there is a lot of possibility and I'm interested in seeing it used.

lanmaster53 avatar Jun 08 '20 17:06 lanmaster53

I agree with you, I'm going to propose the following behavior :

  • the default policy is '*' for '/api/*'
  • an optional argument '--origin' is added to restrict the CORS to one origin

Another point, my project is a Javascript interface to manipulate in a more convenient way a large amount of OSINT materials. For now, it's more an experiment to learn ReactJS. I'll let you know when I have a working POC.

chqr1y avatar Jun 09 '20 00:06 chqr1y