Checking if a whitelisted string is found is a bad approach

Easy Cross Origin Resource Sharing

When you press Begin Challenge you'll be sent to and will see {"auth_token":"anVzdF9hbl9leGFtcGxl"}.

An attacker may want to obtain this value from their victim, but how could they do this?

This is your objective. Find a way to obtain the information when your victim (you) visits your proof of concept.