Demonstrates wildcard CORS + credential reflection on app.superfunnelsai.com
READY
⚠️ AUTHORIZED PENTEST ONLY — This PoC demonstrates a real vulnerability.
It works by making cross-origin requests WITH cookies to the SuperFunnels API from this page (a different origin).
Because the server reflects any Origin + allows credentials, the browser lets us read the response.
How to test: Open another tab, log into app.superfunnelsai.com, then come back here and click "Run Exploit".