0

I found an XSS on subdomain.example.com, is it possible to use that xss to extract the response of an api request from the main domain example.com/api/xyz?

The xss is on subdomain.example.com and I'd like to extract the whole response of www.example.com/api/xyz. Is it possible to do it via XSS?

If possible, which javascript code could I use?

schroeder
  • 123,438
  • 55
  • 284
  • 319
stack ups
  • 19
  • 1
  • document.domain only works with frames, ajax needs CORS, so the answer depends on the CORS headers set by example.com. – Z.T. May 17 '19 at 01:24
  • I'm going to go with the StackOverflow-approach here and ask: "What have you tried so far?" –  May 17 '19 at 08:00

0 Answers0