From d0be596ca0e43fd772e4317bcc5a5732a31444c8 Mon Sep 17 00:00:00 2001
From: henopied <henopied@users.noreply.github.com>
Date: Sun, 22 Sep 2024 11:54:26 -0500
Subject: [PATCH] cors

---
 fallctf-2024/src/web/web.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fallctf-2024/src/web/web.md b/fallctf-2024/src/web/web.md
index 7a1be2e..702d96e 100644
--- a/fallctf-2024/src/web/web.md
+++ b/fallctf-2024/src/web/web.md
@@ -147,7 +147,7 @@ More details on XSS: https://portswigger.net/web-security/cross-site-scripting
 
 A useful resource for receiving requests is [webhook.site](https://webhook.site/). For example, if you need to extract some data from a website, you can have your XSS payload send a request to your webhook.site URL with the data you need.
 
-Be careful when exfiltrating data to make sure the data on the page you are trying to extract is actually loaded.
+Be careful when exfiltrating data to make sure the data on the page you are trying to extract is actually loaded. Also, make sure to go to `edit` and enable `Add CORS Headers` to allow the admin's browser to make requests to the site.
 
 ```js
 window.addEventListener('load', () => {