⚡ White.market · CORS Exploit v3

GraphQL Credential Theft Toolkit · Inline Response Viewer

Successful

Failed

Data (KB)

0.00

Total Queries

🔧 Global Request Headers applied to every request · browser may override some

These headers are merged into all fetch calls. Content-Type and credentials are always set internally. Headers the browser controls (e.g. Cookie, User-Agent, Origin) cannot be set from JS — they are sent automatically via credentials: include. Use this to inject custom tokens, Authorization: Bearer …, x-api-key, etc.

🔧 Global Request Headers merged into every request

These headers are sent with all requests. Content-Type: application/json is always set automatically. Browser-controlled headers (Cookie, User-Agent, Origin, Referer, Sec-Fetch-*) are sent automatically via credentials: include — you cannot set them here. Use this for: Authorization: Bearer <accessToken>, x-api-key, custom session headers, etc.

Preset Queries

Custom Query

Query Name (display label) GraphQL Query Variables (JSON, optional)

▶ Per-Request Header Overrides overrides globals for this request only

Results 0 entries

⬡

No queries executed yet.

Run auth check or select queries to begin.