Usage: http://cm2.pw/xssi?url=http://example.com Parameters: url - Target URL, required eval - JavaScript code to be evaled, optional - Any other attributes that script element supports (async, defer, charset, etc.), optional Example: http://cm2.pw/xssi?url=https://api.ipify.org%3fformat=jsonp http://cm2.pw/xssi?url=https://api.ipify.org%3fformat=jsonp%26callback=myFunc&charset=utf-16be&eval=myFunc=i=>alert(JSON.stringify(i)) References: https://www.scip.ch/en/?labs.20160414 http://www.mbsd.jp/Whitepaper/xssi.pdf http://scary.beasts.org/security/CESA-2008-011.html http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ https://www.owasp.org/images/f/f3/Your_Script_in_My_Page_What_Could_Possibly_Go_Wrong_-_Sebastian_Lekies%2BBen_Stock.pdf