: the code bellow will really show your cookies if you are logged into Twitter (no matter in which tab or window). The button reads "Get Cookies from Charlie"
because in the video PoC we were attacking an imaginary character named Charles. However, clicking on that button will show your cookies
This proof of concept assumes that you have a Twitter tab/window already opened. If you don't, please, open one now
Charlie, we are out of milk but we have your cookies.
This is our code:
Tested on: Microsoft Edge 40.15063.0.0 / EdgeHTML 15.15063
Explanation: SOP bypass / UXSS data-meta-data in a domainless world (Edge)