Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3286] No subject

Browse source
This commit is contained in:
CPol 2022-06-27 16:53:32 +00:00 committed by gitbook-bot
parent bff25c8869
commit fc97f34263
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 223 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
network-services-pentesting/pentesting-web/special-http-headers.md
View file

@ -1,4 +1,4 @@
# Special HTTP headers
<details>
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Wordlists
## Wordlists
* [https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers](https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers)
# Headers to Change Location
## Headers to Change Location
Rewrite **IP source**:
@ -48,7 +47,7 @@ Rewrite **location**:
* `X-Original-URL: /admin/console`
* `X-Rewrite-URL: /admin/console`
# Hop-by-Hop headers
## Hop-by-Hop headers
A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.
@ -58,7 +57,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
[abusing-hop-by-hop-headers.md](../../pentesting-web/abusing-hop-by-hop-headers.md)
{% endcontent-ref %}
# HTTP Request Smuggling
## HTTP Request Smuggling
* `Content-Length: 30`
* `Transfer-Encoding: chunked`
@ -67,7 +66,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
[http-request-smuggling](../../pentesting-web/http-request-smuggling/)
{% endcontent-ref %}
# Cache Headers
## Cache Headers
**Server Cache Headers**:
@ -87,20 +86,20 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
* `Pragma: no-cache` same as `Cache-Control: no-cache`
* `Warning`: The **`Warning`** general HTTP header contains information about possible problems with the status of the message. More than one `Warning` header may appear in a response. `Warning: 110 anderson/1.3.37 "Response is stale"`
# Conditionals
## Conditionals
* Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header\*\*`Last-Modified`\*\* contains a different time.
* Conditional requests using **`If-Match`** and **`If-None-Match`** use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The `Etag` is taken from the HTTP response.
* The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**.
# Range requests
## Range requests
* **`Accept-Ranges`**: Indicates if the server supports range requests, and if so in which unit the range can be expressed. `Accept-Ranges: <range-unit>`
* **`Range`**: Indicates the part of a document that the server should return.
* **`If-Range`**: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
* **`Content-Range`**: Indicates where in a full body message a partial message belongs.
# Message body information
## Message body information
* **`Content-Length`:** The size of the resource, in decimal number of bytes.
* **`Content-Type`**: Indicates the media type of the resource
@ -113,31 +112,31 @@ For example a combination of **`Range`** and **`Etag`** in a HEAD request can le
* A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y`
# Server Info
## Server Info
* `Server: Apache/2.4.1 (Unix)`
* `X-Powered-By: PHP/5.3.3`
# Controls
## Controls
* **`Allow`:** Lists the set of methods supported by a resource. `Allow: GET, POST, HEAD`
* **`Expect`**: The **`Expect`** HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request.
* No other expectations except `Expect: 100-continue` are specified currently. Informs recipients that the client is about to send a (presumably large) message body in this request and wishes to receive a [`100`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/100) (Continue) interim response.
# Downloads
## Downloads
* **`Content-Disposition`**: In a regular HTTP response, the **`Content-Disposition`** response header is a header indicating if the content is expected to be displayed _inline_ in the browser, that is, as a Web page or as part of a Web page, or as an _attachment_, that is downloaded and saved locally.
* `Content-Disposition: attachment; filename="filename.jpg"`
# Security Headers
## Security Headers
## Content Security Policy (CSP) <a href="#csp" id="csp"></a>
### Content Security Policy (CSP) <a href="#csp" id="csp"></a>
{% content-ref url="../../pentesting-web/content-security-policy-csp-bypass/" %}
[content-security-policy-csp-bypass](../../pentesting-web/content-security-policy-csp-bypass/)
{% endcontent-ref %}
## Trusted Types <a href="#tt" id="tt"></a>
### Trusted Types <a href="#tt" id="tt"></a>
Trusted Types provide the tools to write, security review, and maintain applications free of DOM XSS. They can be enabled via [CSP](https://web.dev/security-headers/#csp) and make JavaScript code secure by default by limiting dangerous web APIs to only accept a special object—a Trusted Type.
@ -168,7 +167,7 @@ const escaped = policy.createHTML('<img src=x onerror=alert(1)>');
el.innerHTML = escaped; // '&lt;img src=x onerror=alert(1)&gt;'
```
## X-Content-Type-Options <a href="#xcto" id="xcto"></a>
### X-Content-Type-Options <a href="#xcto" id="xcto"></a>
When a malicious HTML document is served from your domain (for example, if an image uploaded to a photo service contains valid HTML markup), some browsers will treat it as an active document and allow it to execute scripts in the context of the application, leading to a [cross-site scripting bug](https://www.google.com/about/appsecurity/learning/xss/).
@ -178,7 +177,7 @@ When a malicious HTML document is served from your domain (for example, if an im
X-Content-Type-Options: nosniff
```
## X-Frame-Options <a href="#xfo" id="xfo"></a>
### X-Frame-Options <a href="#xfo" id="xfo"></a>
If a malicious website can embed your site as an iframe, this may allow attackers to invoke unintended actions by the user with [clickjacking](https://portswigger.net/web-security/clickjacking). Also, in some cases [Spectre-type attacks](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)) give malicious websites a chance to learn about the contents of an embedded document.
@ -190,7 +189,7 @@ If you need more granular control such as allowing only a specific origin to emb
X-Frame-Options: DENY
```
## Cross-Origin Resource Policy (CORP) <a href="#corp" id="corp"></a>
### Cross-Origin Resource Policy (CORP) <a href="#corp" id="corp"></a>
An attacker can embed resources from another origin, for example from your site, to learn information about them by exploiting web-based [cross-site leaks](https://xsleaks.dev).
@ -200,7 +199,13 @@ An attacker can embed resources from another origin, for example from your site,
Cross-Origin-Resource-Policy: same-origin
```
## Cross-Origin Opener Policy (COOP) <a href="#coop" id="coop"></a>
### Cross-Origin Resource Policy (CORB) <a href="#corp" id="corp"></a>
It helps mitigate the threat of side-channel attacks (including Spectre). It is designed to prevent the browser from **delivering certain cross-origin network responses to a web page**, when they might contain sensitive information and are **not needed for existing web features**.\
In the same way, it also helps mitigating Cross-Site Script Inclusion (XSSI) vulnerabilities.\
For example, it will block a cross-origin text/html response requested from a \<script> or \<img> tag, replacing it with an empty response instead. This is an important part of the protections included with [Site Isolation](https://www.chromium.org/Home/chromium-security/site-isolation).
### Cross-Origin Opener Policy (COOP) <a href="#coop" id="coop"></a>
An attacker's website can open another site in a popup window to learn information about it by exploiting web-based [cross-site leaks](https://xsleaks.dev). In some cases, this may also allow the exploitation of side-channel attacks based on [Spectre](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)).
@ -210,7 +215,7 @@ The `Cross-Origin-Opener-Policy` header provides a way for a document to isolate
Cross-Origin-Opener-Policy: same-origin-allow-popups
```
## Cross-Origin Resource Sharing (CORS) <a href="#cors" id="cors"></a>
### Cross-Origin Resource Sharing (CORS) <a href="#cors" id="cors"></a>
Unlike other items in this article, Cross-Origin Resource Sharing (CORS) is not a header, but a browser mechanism that requests and permits access to cross-origin resources.
@ -225,7 +230,7 @@ Access-Control-Allow-Credentials: true
[cors-bypass.md](../../pentesting-web/cors-bypass.md)
{% endcontent-ref %}
## Cross-Origin Embedder Policy (COEP) <a href="#coep" id="coep"></a>
### Cross-Origin Embedder Policy (COEP) <a href="#coep" id="coep"></a>
To reduce the ability of [Spectre-based attacks](https://en.wikipedia.org/wiki/Spectre\_\(security\_vulnerability\)) to steal cross-origin resources, features such as `SharedArrayBuffer` or `performance.measureUserAgentSpecificMemory()` are disabled by default.
@ -237,7 +242,7 @@ Use `Cross-Origin-Embedder-Policy: require-corp` when you want to enable [cross-
Cross-Origin-Embedder-Policy: require-corp
```
## HTTP Strict Transport Security (HSTS) <a href="#hsts" id="hsts"></a>
### HTTP Strict Transport Security (HSTS) <a href="#hsts" id="hsts"></a>
Communication over a plain HTTP connection is not encrypted, making the transferred data accessible to network-level eavesdroppers.
@ -247,12 +252,11 @@ Communication over a plain HTTP connection is not encrypted, making the transfer
Strict-Transport-Security: max-age=3153600
```
# Resources
## Resources
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
* [https://web.dev/security-headers/](https://web.dev/security-headers/)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -268,5 +272,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

217
pentesting-web/xs-search.md
View file

@ -1,4 +1,4 @@
# XS-Search
<details>
@ -16,29 +16,206 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
**The best resource to learn XS-Search is** [**https://xsleaks.dev/**](https://xsleaks.dev)
# XS-Search Time attack
## Time attack
Basically, you exploit a **CSRF vulnerability** to make a specific user access some **information** that the **victim can access** but you can't. Then, you **check** the **time** it take the request to be responded and depending on that you can know if the content was correctly accessed or not.
**\[Data Leak]**\
**Measuring the time** of a response that search for info, it's possible to leak if the info exists.\
For more info: [https://xsleaks.dev/docs/attacks/xs-search/](https://xsleaks.dev/docs/attacks/xs-search/)
For example, imagine that the **admin of a web** page can **access all** the inside the **webfiles** service and **you only** can access **yours**, and you want to know the **content** of a **file** that starts with the string "_**flag**_".
**Clocks**: The [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API allows developers to get high-resolution timing measurements.\
There are a considerable number of APIs attackers can abuse to create implicit clocks: [Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast\_Channel\_API), [Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel), [requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame), [setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout), CSS animations, and others**.**\
****For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/clocks/](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/)
There is a **CSRF** vulnerability in the **seach by content** function and you can make the **admin visit any page**. Then, you could make the admin visit a malicious web server (yours) that will **exploit** the **CSRF** and will make the victim **search for** the file that starts with "_**flag**_". The attacker will make a **loop** so it will make the victim **search for every possibility** in: _flagX_. Then, if a character took **more time** that the rest, you can **asume** that it was the **correct** one and you can start a **new loop** with "_flag{X_" until you get the flag.
### Network Timing
That is the **idea** but in the **real world** you need queries that retrive content take **much more time** that the queries that doesn't return anything.
Several events can be timed using the mentioned clocks, such as requests, onload and unload events, cross-windows loads...\
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/)
For more information you can read:
### Performance API
* [https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549](https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549)
* [https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks](https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks)
The [`Performance API`](https://developer.mozilla.org/en-US/docs/Web/API/Performance) provides access to performance-related information enhanced by the data from the [`Resource Timing API`](https://developer.mozilla.org/en-US/docs/Web/API/Resource\_Timing\_API) which provides the timings of network requests such as the duration but when theres a `Timing-Allow-Origin: *` header sent by the server the transfer size and domain lookup time is also provided.\
This data can be accessed by using [`performance.getEntries`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntries) or [`performance.getEntriesByName`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntriesByName) It can also be used to get the execution time using the difference of [`performance.now()`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) however this seems to be less precise for a chrome fetch because it only provides the milliseconds.
# XS-Search - Iframe
This API can be used to measure the time of a request or to detect the use of X-Frame-Options as the blocked page won't be added to the `performance` object in Chrome.
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/)
### Execution Timing
#### Timing the Event Loop <a href="#timing-the-event-loop" id="timing-the-event-loop"></a>
JavaScripts concurrency model is based on a [single-threaded event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) which means **it can only run one task at a time**.\
Inferring **how long code from a different origin takes to run** by measuring how long it t**akes to run next in the event pool**. The attacker keeps sending events to the event loop with fixed properties, which will eventually be dispatched if the pool is empty. Other origins dispatch events to the same pool, and this is where an **attacker infers the time difference by detecting if a delay occurred with one of its tasks**.
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop)
#### Busy Event Loop <a href="#busy-event-loop" id="busy-event-loop"></a>
An attacker could locking the event loop of a thread and timing **how long it takes for the event loop to become available again**. One of the main advantages of this technique is its ability to circumvent Site Isolation, as an attacker origin can influence the execution of another origin.
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop)
#### Service Workers <a href="#service-workers" id="service-workers"></a>
1. The attacker registers a service worker in one of their domains (attacker.com).
2. In the main document, the attacker issues a navigation (window.open) to the target website and instructs the Service Worker to start a timer.
3. When the new window starts loading, the attacker navigates the reference obtained in step 2 to a page handled by the Service Worker.
4. When the request performed in step 3 arrives at the service worker, it returns a 204 (No Content) response, which aborts the navigation.
5. At this point, the Service Worker collects a measurement from the timer started in step 2. This measurement is affected by how long JavaScript blocked the navigation.
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers)
#### jQuery, CSS Selectors & Short-circuit Timing
#### If `jQuery(location.hash)` sdf
## Window References
If a page sets its `opener` property to `null` or is using [COOP](https://xsleaks.dev/docs/defenses/opt-in/coop/) protection depending on the users' state, it's possible to check the status of the user.\
For more info: [https://xsleaks.dev/docs/attacks/window-references/](https://xsleaks.dev/docs/attacks/window-references/)
## CSS Tricks
CSS can be used to trick a user into exposing information such as embedded pixel values by making visual changes that are affected by the embed. It could be also used to exfiltrate the history or autocomplete passwords.\
For more info: [https://xsleaks.dev/docs/attacks/css-tricks/](https://xsleaks.dev/docs/attacks/css-tricks/)
## Error Events
When a webpage tries to load an URL if the response has an **error status an** [**error event**](https://developer.mozilla.org/en-US/docs/Web/API/Element/error\_event) **is fired**. This helps to find out things like for example if the current user had access to the requested data.\
For more info: [https://xsleaks.dev/docs/attacks/error-events/](https://xsleaks.dev/docs/attacks/error-events/)
## Frame Counting
Counting the **number of frames in a web** opened via `iframe` or `window.open` might help to identify the status of the user over that page.\
Moreover, if the page has always the same number of frames, checking continuously the number of frames might help to identify a **pattern** that might leak info.\
For more info: [https://xsleaks.dev/docs/attacks/frame-counting/](https://xsleaks.dev/docs/attacks/frame-counting/)
## Navigations
Detecting if a **cross-site page triggered a navigation** (or didnt) can leak the status of the user in the page.\
For more info: [https://xsleaks.dev/docs/attacks/navigations/](https://xsleaks.dev/docs/attacks/navigations/)
### Download Trigger <a href="#download-trigger" id="download-trigger"></a>
If only a logged in user would be able to **access a page which will download a file** because it's using the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header. It'o possible to detect that behaviour.\
For more info: [https://xsleaks.dev/docs/attacks/navigations/#download-trigger](https://xsleaks.dev/docs/attacks/navigations/#download-trigger)
### Server-Side Redirects
If a server-side redirect uses **user input inside the redirection** and **extra data**. It's possible to detect this behaviour because usually **servers** has a **limit request length**. If the **user data** is that **length - 1**, because the **redirect** is using **that data** and **adding** something **extra**, it will trigger an **error detectable via Error Events**.\
For more info: [https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects](https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects)
### Cross-Origin Redirects <a href="#cross-origin-redirects" id="cross-origin-redirects"></a>
An attacker could **inject a CSP** using meta tags using the `connect-src` which triggers a `Violation` event every time a **`fetch` follows an URL not set in the CSP directive**. This allows an attacker to detect if a redirect to another origin occurred.\
For more info: [https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects](https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects)
## Cache Probing
Because under certain (generic) conditions **resources are cached** by the browser, it would be possible to know for example if a **user has accessed a page** by checking if some **resource** of that **page** has been **cached**.\
For more info: [https://xsleaks.dev/docs/attacks/cache-probing/](https://xsleaks.dev/docs/attacks/cache-probing/)
### Timing
You could use a [**timing technique**](xs-search.md#time-attack) to check if the resource was cached.
### Error Events
If a page loads an image only if the user is logged in, you can **invalidate** the **resource** (so it's no longer cached if it was), **perform a request** that could load that resource and try to load the resource **with a bad request** (e.g. using an overlong referer header). If the resource load **didn't trigger any error**, it's because it was **cached**.\
For more info: [https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events](https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events)
### CORS error on Origin Reflection misconfiguration <a href="#cors-error-on-origin-reflection-misconfiguration" id="cors-error-on-origin-reflection-misconfiguration"></a>
In case the **Origin header** is being **reflected** in the header `Access-Control-Allow-Origin` an attacker can abuse this behaviour to try to **fetch** the **resource** in **CORS** mode. If an **error** **isn't** triggered, it means that it was **correctly retrieved form the web**, if it's **triggered**, it's because it was **accessed from the cache.**\
****Note that if the origin isn't reflected but a wildcard is used (`Access-Control-Allow-Origin: *`) this won't work.\
****For more info: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
### Fetch with AbortController <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>
[**`AbortController`**](https://developer.mozilla.org/en-US/docs/Web/API/AbortController) **** could be combined with _**fetch**_ and _**setTimeout**_ to both detect whether the **resource is cached** and to evict a specific resource from the browser cache. A nice feature of this technique is that the probing occurs without caching new content in the process.\
For more info: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
### Performance API
Using the [Performance API](xs-search.md#performance-api) it's possible to check if a resource is cached.\
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources)
### Partitioned HTTP Cache Bypass <a href="#partitioned-http-cache-bypass" id="partitioned-http-cache-bypass"></a>
If a site `example.com` includes a resource from `*.example.com/resource` then that resource will have the same caching key as if the resource was directly requested through top-level navigation. That is because the caching key is consisted of top-level _eTLD+1_ and frame _eTLD+1_. [3](https://xsleaks.dev/docs/attacks/navigations/#fn:3)
Before accessing the cache is faster than loading a resource, it's possible to try to change the location of a page and cancel it 20ms (for example) after. If the origin was changed after the stop, it means that the resource was cached.
For more info: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass)
## Element Leaks
### HTMLElements
Some HTMLElements will leak some information to cross-origins such as the type of media they are.
* [HTMLMediaElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLMediaElement) leaks the media `duration` and the `buffered` times.
* [HTMLVideoElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement) leaks the `videoHeight` and `videoWidth` some browsers may also have `webkitVideoDecodedByteCount`, `webkitAudioDecodedByteCount` and `webkitDecodedFrameCount`
* [getVideoPlaybackQuality()](https://developer.mozilla.org/en-US/docs/Web/API/VideoPlaybackQuality) leaks the `totalVideoFrames`.
* [HTMLImageElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement) leaks the `height` and `width` but if the image is invalid they will be 0 and [`image.decode()`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement/decode) will get rejected.
For more info: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/)
### Abusing CORB <a href="#abusing-corb" id="abusing-corb"></a>
[CORB](https://xsleaks.dev/docs/attacks/browser-features/corb/) is a feature of Chrome that makes responses empty if the wrong content type is used. This means that if the type is wrong its not cached, so it's possible to infer the type of the media.\
For more info: [https://xsleaks.dev/docs/attacks/element-leaks/#abusing-corb](https://xsleaks.dev/docs/attacks/element-leaks/#abusing-corb)
### Abusing getComputedStyle <a href="#abusing-getcomputedstyle" id="abusing-getcomputedstyle"></a>
[getComputedStyle](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) can be used to read an embedded to the current page CSS style sheets. Including those loaded from different origins.\
For more info: [https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle](https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle)
### PDF <a href="#pdf" id="pdf"></a>
There are [Open URL Parameters](https://bugs.chromium.org/p/chromium/issues/detail?id=64309#c113) that allow some control over the content such as `zoom`, `view`, `page`, `toolbar`.\
For chrome, a PDF can be detected with [frame counting](https://xsleaks.dev/docs/attacks/frame-counting/) because an `embed` is used internally.\
For more info: [https://xsleaks.dev/docs/attacks/element-leaks/#pdf](https://xsleaks.dev/docs/attacks/element-leaks/#pdf)
### Script Tag
When a cross-origin script is included on a page its not directly possible to read its contents. However, if a script uses any built-in functions, its possible to overwrite them and read their arguments which might leak valuable information.\
For more info: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
### Without Javascript <a href="#when-javascript-cant-be-used" id="when-javascript-cant-be-used"></a>
If JavaScript is disabled its still possible to leak some information about cross-origin resources. For example, an `<object>` can be used to detect **whether a resource responds with **_**Error Code**_. What happens is that if a resource `//example.org/resource` returns an error in `<object data=//example.org/resource>fallback</object>` then `fallback` will be rendered. Its possible to inject another `<object>` inside that will leak the information to an outside server, or detect it with CSS.\
For more info: [https://xsleaks.dev/docs/attacks/element-leaks/#when-javascript-cant-be-used](https://xsleaks.dev/docs/attacks/element-leaks/#when-javascript-cant-be-used)
## ID Leak
It's possible to l**oad a page** inside an **iframe** and use the `#id_value` to make the page **focus on the element** of the iframe with indicated if, then if an **`onblur`** signal is triggered, the ID element exists.\
For more info: [https://xsleaks.dev/docs/attacks/id-attribute/](https://xsleaks.dev/docs/attacks/id-attribute/)\
You can perform the same attack with **`portal`** tags, for more info: [https://xsleaks.dev/docs/attacks/experiments/portals/](https://xsleaks.dev/docs/attacks/experiments/portals/)
## postMessage Broadcasts
Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one cloud find sensitive info (potentially if the the `targetOrigin` param is not used).\
Also, the fact of receiving some message can be used as an oracle (you only receive this kind of message if you are logged in).\
For more info: [https://xsleaks.dev/docs/attacks/postmessage-broadcasts/](https://xsleaks.dev/docs/attacks/postmessage-broadcasts/)
## CORB & CORP Leaks
You can find [what is **CORP** in this page](../network-services-pentesting/pentesting-web/special-http-headers.md#corp).\
You can find [what is **CORB** in this page](../network-services-pentesting/pentesting-web/special-http-headers.md#corp-1).
A page could leak if it's using these headers to protect in some specific cases.\
For more info: [https://xsleaks.dev/docs/attacks/browser-features/corb/](https://xsleaks.dev/docs/attacks/browser-features/corb/) and [https://xsleaks.dev/docs/attacks/browser-features/corp/](https://xsleaks.dev/docs/attacks/browser-features/corp/)
## XS-Search - Iframe
Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.
You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF like in the prevous situation). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF like in the previous situation). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
For example:
@ -51,13 +228,13 @@ Then, you can **distinguish between** a **correctly** loaded page or page that h
If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without meassuring the time.
## Iframe Chrome XSS Auditor
### Iframe Chrome XSS Auditor
Imagine the **same situation as in the Timing attack method** and you also know that the **admin** is using a **Chrome browser** (for example, Chrome-headless) **with Chrome XSS Auditor.**
Then, you can use **iframes** to make the victim **search** for the page containing "_**flagX**_" (beeing X **any** possible **character**)inside a loop, and you also add to the URL inside the iframes a **fake parameter** that **contains javascript code that will only appear when a valid content is retrived**.
For example, if when you **search for** the **content **_**"my file"**_ the web server responds with a page that **includes** this **javascript** code:
For example, if when you **search for** the **content \_"my file"**\_ the web server responds with a page that **includes** this **javascript** code:
```
<script>console.log("you found someting");</script>
@ -75,13 +252,13 @@ Then, you can use Chrome XSS Auditor to **launch an error** when a **valid respo
For more information: [https://www.youtube.com/watch?v=HcrQy0C-hEA](https://www.youtube.com/watch?v=HcrQy0C-hEA)
## Abusing Chrome XSS Auditor to steal tokens
### Abusing Chrome XSS Auditor to steal tokens
Using the previous technique (with Chrome XSS Auditor) you can **steal chunks of the code returned to a user** (like tokens for example). For more information: [https://portswigger.net/blog/abusing-chromes-xss-auditor-to-steal-tokens](https://portswigger.net/blog/abusing-chromes-xss-auditor-to-steal-tokens)
Please, notice that you will steal information returned to a user and not any code from the web server.
# Custom Detection
## Custom Detection
In the **fbcft2019** the **challenge**: **secret note keeper** was resolved exploiting a XS-Search.
@ -144,18 +321,14 @@ exploit();
</script>
</html>
```
# More information
## More information
{% embed url="https://github.com/xsleaks/xsleaks" %}
[https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -171,5 +344,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>