hacktricks/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md

Chrome Cache to XSS

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Technique taken from this writeup.

There are two important types of cache:

• back/forward cache (bfcache)
  • ref. https://web.dev/i18n/en/bfcache/
  • It stores a complete snapshot of a page including the JavaScript heap.
  • The cache is used for back/forward navigations.
  • it has preference over disk cache
• disk cache
  • ref. https://www.chromium.org/developers/design-documents/network-stack/disk-cache/
  • It stores a resource fetched from the web. The cache doesn't include the JavaScript heap.
  • The cache is also used for back/forward navigations to skip communication costs.

As a interesting point of disk cache, the cache includes not only the HTTP response rendered to a web page, but also those fetched with fetch. In other words, if you access the URL for a fetched resource, the browser will render the resource on the page.

There is another important point. If both disk cache and bfcache are valid for an accessed page at back/forward navigations, the bfcache has priority over the disk cache. So, if you need to access a page stored in both caches but you want to use the one from the disk, you need to somehow disable bfcache.

Disable bfcache

bfcache is disabled by default options of puppeteer.

Let's try the interesting behavior in this challenge.

Firstly, you have to disable bfcache[2]. There are many conditions where bfcache is disabled, the list is:

• https://source.chromium.org/chromium/chromium/src/+/main:out/mac-Debug/gen/third_party/blink/renderer/core/inspector/protocol/page.cc?q=BackForwardCacheNotRestoredReasonEnum &ss=chromium

The easy way is to use RelatedActiveContentsExist.

• RelatedActiveContentsExist: The page opend with window.open() and it has a reference of window.opener.
• ref. https://web.dev/i18n/en/bfcache/#avoid-windowopener-references

Therefore, the following procedure reproduces the behavior:

1. Access a web page (E.g. https://example.com)
2. Execute open("http://spanote.seccon.games:3000/api/token")
   • 
   • The server returns a response with 500 status code.
3. In the opend tab, access http://spanote.seccon.games:3000/
   • 
   • Then, the response of http://spanote.seccon.games:3000/api/token is cached as a disk cache.
4. Execute history.back()
   • 
   • The cached JSON response is rendered on the page!

You can confirm that disk cache is used using DevTools in Google Chrome:

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.