From 02e64609cf4550d56e75c650a5b19fff1381b50c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sun, 26 Oct 2025 08:26:38 +0000 Subject: [PATCH 1/2] Add content from: Research Update: Enhanced src/pentesting-web/xs-search/cooki... --- .../cookie-bomb-+-onerror-xs-leak.md | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md index 593242403bb..adc268d5cef 100644 --- a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md +++ b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md @@ -79,6 +79,9 @@ The following script (from a public writeup) abuses a feature that lets the atta Why the popup (window.open)? - Modern browsers increasingly block third-party cookies. Opening a top-level window to the target makes cookies first‑party so Set-Cookie responses from the target will stick, enabling the cookie-bomb step even with third‑party cookie restrictions. +2024–2025 notes on cookie availability +- Chromium-based browsers still commonly send third‑party cookies unless the user or site opts out, but Safari and Firefox block most third‑party cookies by default. Plan for both: (1) use a first‑party cookie planting flow (window.open + auto-submit to a cookie-setting endpoint) and then (2) probe with a subresource that only succeeds when those cookies are sent. If third‑party cookies are blocked, move the probe into a same-site context (e.g., run the oracle in the popup via a same-site gadget and exfiltrate the boolean with postMessage or a beacon to your server). + Generic probing helper If you already have a way to set many cookies on the target origin (first-party), you can reuse this minimal oracle against any endpoint whose success/failure leads to different network outcomes (status/MIME/redirect): @@ -94,10 +97,44 @@ function probeError(url) { } ``` +Alternative tag oracle (stylesheet) +```js +function probeCSS(url) { + return new Promise((resolve) => { + const l = document.createElement('link'); + l.rel = 'stylesheet'; + l.href = url; + l.onload = () => resolve(false); + l.onerror = () => resolve(true); + document.head.appendChild(l); + }); +} +``` + +Advanced: de Bruijn–based cookie packing (CTF-proven) +- When the app lets you control large cookie values, you can pack guesses efficiently by appending a de Bruijn sequence to each probe. This keeps per‑probe overhead small while ensuring the heavy branch is consistently heavier only for the right prefix. Example generator for |Σ| symbols of length n (fits in a cookie value): +```js +const ALPH = '_{}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; +function deBruijn(k, n, alphabet=ALPH){ + const a = Array(k * n).fill(0), seq=[]; + (function db(t,p){ + if(t>n){ if(n%p===0) for(let j=1;j<=p;j++) seq.push(a[j]); } + else { a[t]=a[t-p]; db(t+1,p); for(let j=a[t-p]+1;jalphabet[i]).join(''); +} +``` +- Idea in practice: set multiple cookies whose values are prefix + deBruijn(k,n). Only when the tested prefix is correct does the server take the heavy path (e.g., extra redirect reflecting the long cookie or URL), which, combined with the cookie bloat, crosses limits and flips onerror. See a LA CTF 2024 public solver using this approach. + Tips to build the oracle - Force the “positive” state to be heavier: chain an extra redirect only when the predicate is true, or make the redirect URL reflect unbounded user input so it grows with the guessed prefix. - Inflate headers: repeat cookie bombing until a consistent error is observed on the “heavy” path. Servers commonly cap header size and will fail sooner when many cookies are present. - Stabilize: fire multiple parallel cookie set operations and probe repeatedly to average out timing and caching noise. +- Bust caches and avoid pooling artifacts: add a random `#fragment` or `?r=` to probe URLs, and prefer distinct window names when using window.open loops. +- Alternate subresources: if