RenwaX23
commented
3 years ago I control this domains and there isn't any thing to worry about you can change them to your URL, source code of the file is:
<?php
header("Content-Type: application/javascript");
function cors() {
if (isset($_SERVER['HTTP_ORIGIN'])) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
}
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
exit(0);
}
echo "javascript:top.pinghost(1)//<img src=x onerror=top.pinghost(1)>";
}
cors();
?>
In order to test for XSS vulnerabilities via an Electron application running locally, this project should not use external, out of end-user control XSS payloads hosted on third-party services such as the one present in
xss.html.https://github.com/RenwaX23/XSSTRON/blob/02ab3e741f3ddbca32b0abb8ed07a95736cbe1b9/xss.html#L26
https://github.com/RenwaX23/XSSTRON/blob/02ab3e741f3ddbca32b0abb8ed07a95736cbe1b9/xssp.html#L27