diff --git a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md index 593242403bb..b7c7cdd5a84 100644 --- a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md +++ b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md @@ -79,6 +79,9 @@ The following script (from a public writeup) abuses a feature that lets the atta Why the popup (window.open)? - Modern browsers increasingly block third-party cookies. Opening a top-level window to the target makes cookies first‑party so Set-Cookie responses from the target will stick, enabling the cookie-bomb step even with third‑party cookie restrictions. +2024–2025 notes on cookie availability +- Chromium-based browsers still commonly send third‑party cookies unless the user or site opts out, but Safari and Firefox block most third‑party cookies by default. Plan for both: (1) use a first‑party cookie planting flow (window.open + auto-submit to a cookie-setting endpoint) and then (2) probe with a subresource that only succeeds when those cookies are sent. If third‑party cookies are blocked, move the probe into a same-site context (e.g., run the oracle in the popup via a same-site gadget and exfiltrate the boolean with postMessage or a beacon to your server). + Generic probing helper If you already have a way to set many cookies on the target origin (first-party), you can reuse this minimal oracle against any endpoint whose success/failure leads to different network outcomes (status/MIME/redirect): @@ -94,10 +97,44 @@ function probeError(url) { } ``` +Alternative tag oracle (stylesheet) +```js +function probeCSS(url) { + return new Promise((resolve) => { + const l = document.createElement('link'); + l.rel = 'stylesheet'; + l.href = url; + l.onload = () => resolve(false); + l.onerror = () => resolve(true); + document.head.appendChild(l); + }); +} +``` + +Advanced: de Bruijn–based cookie packing (CTF-proven) +- When the app lets you control large cookie values, you can pack guesses efficiently by appending a de Bruijn sequence to each probe. This keeps per‑probe overhead small while ensuring the heavy branch is consistently heavier only for the right prefix. Example generator for |Σ| symbols of length n (fits in a cookie value): +```js +const ALPH = '_{}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; +function deBruijn(k, n, alphabet=ALPH){ + const a = Array(k * n).fill(0), seq=[]; + (function db(t,p){ + if(t>n){ if(n%p===0) for(let j=1;j<=p;j++) seq.push(a[j]); } + else { a[t]=a[t-p]; db(t+1,p); for(let j=a[t-p]+1;jalphabet[i]).join(''); +} +``` +- Idea in practice: set multiple cookies whose values are prefix + deBruijn(k,n). Only when the tested prefix is correct does the server take the heavy path (e.g., extra redirect reflecting the long cookie or URL), which, combined with the cookie bloat, crosses limits and flips onerror. See a LA CTF 2024 public solver using this approach. + Tips to build the oracle - Force the “positive” state to be heavier: chain an extra redirect only when the predicate is true, or make the redirect URL reflect unbounded user input so it grows with the guessed prefix. - Inflate headers: repeat cookie bombing until a consistent error is observed on the “heavy” path. Servers commonly cap header size and will fail sooner when many cookies are present. - Stabilize: fire multiple parallel cookie set operations and probe repeatedly to average out timing and caching noise. +- Bust caches and avoid pooling artifacts: add a random `#fragment` or `?r=` to probe URLs, and prefer distinct window names when using window.open loops. +- Alternate subresources: if `