CRITICAL 1. Cookie Theft (.whop.com)

Collecting...

CRITICAL 2. SDK Exploitation (typed-transport)

Forging @whop/iframe SDK messages via postMessage to extract data and trigger actions as the victim.

Exploit SDK Demo: Force Purchase

CRITICAL 3. CSRF — Authenticated Requests

Requests from *.apps.whop.com to whop.com include all cookies (httpOnly + session). Server returns 200 OK.

Run CSRF tests

HIGH 4. Cookie Injection on .whop.com

Inject cookies

HIGH 5. Navigation Hijack

allow-top-navigation + SDK openExternalUrl = redirect victim to phishing page.

Safe demo

// Via sandbox:  top.location = "https://attacker.com/fake-login";
// Via SDK:      postMessage({ event: "openExternalUrl", data: { url: "..." } });

HIGH 6. Data Exfiltration

Waiting...