← All Challenges
Challenge 40 of 66

Cross Origin

🟠 Hard Web App +100 XP

An API returns Access-Control-Allow-Origin: * with credentials. Steal the admin token from a cross-origin page.

Cross Origin // sandbox
CORS with wildcard + credentials = any site can read the response.

🏆 Challenge Complete!

+100 XP earned
Next Challenge →
← Prev Next →