Security Test - Cookie Theft

Collector Log

Payloads in the Live Output column run automatically in sandboxed iframes. Fetch and beacon calls appear here (auto-refreshes every 2 s).

Waiting for hits…
Cookie Theft Security Test Cases
Case Name Payload Expected Behavior Live Output
A1 Script steals cookie 
<script>fetch('/collect/cookie?v=' + encodeURIComponent(document.cookie))</script>
 Crawler output should keep the script-looking text inert when displayed as HTML.
A2 Image onerror steals cookie 
<img src=x onerror="fetch('/collect/cookie?v=' + encodeURIComponent(document.cookie))">
 Crawler output should not render this as an executable image error handler.
A3 SVG onload steals cookie 
<svg onload="navigator.sendBeacon('/collect/cookie', document.cookie)"></svg>
 Crawler output should not render this as an executable SVG load handler.
A4 Delayed cookie steal with setTimeout 
<script>setTimeout(() => fetch('/collect/cookie?v=' + encodeURIComponent(document.cookie)), 1500)</script>
 Crawler output should keep delayed script text inert.

Back to crawl test home