CORS Exploit PoC Viewer

Attacker Server Exploit Options

Parameters for the exploitation script running on the attacker’s server:

Target URL Method Credentials

POST body (application/x-www-form-urlencoded)

Simulation of Victim Clicking the Link

This button simulates the victim clicking on the malicious link that redirects him/her to the attacker's server. The CORS exploitation script then runs by sending a request to the Target URL and retrieves the information normally displayed for the victim on this site:

⚠️ For the demo to work with cookies, make sure you are logged into the target site using the same browser where this PoC page is open.

Information Received by the Attacker

This is what the attacker’s page would receive after the victim clicked:

Raw Response (HTML)

Rendered Preview

Response headers (debug)

—

CORS quick tips

Without cookies: only Access-Control-Allow-Origin is required (can be *).
With cookies: the server must return Access-Control-Allow-Origin: <your origin> (not *) and Access-Control-Allow-Credentials: true.
Third-party cookies: some browsers block them by default (Firefox ETP, Safari ITP, Chrome 3rd-party restrictions). ⚠️ On Firefox, you may need to disable Enhanced Tracking Protection (ETP) for this PoC to work with credentials: "include".
SameSite: session cookies must not be SameSite=Strict or SameSite=Lax (they won’t be sent cross-site). For this to work, you must check that the cookie has SameSite=None; or is empty.
🔍 Check in DevTools: Storage (Firefox) or Application (Chrome) → Cookies → column SameSite.