Background
I\'m security testing a company that has a bug bounty program. Their API allows CORS from any external site and one of the request made to
