Skip to content

Research Update Enhanced src/pentesting-web/xs-search/cookie... #1523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 7, 2025
Merged

Research Update Enhanced src/pentesting-web/xs-search/cookie... #1523

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
02e6460
Add content from: Research Update: Enhanced src/pentesting-web/xs-sea…
Oct 26, 2025
87238e8
Fix formatting of alternate subresources section
carlospolop Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ The following script (from a public writeup) abuses a feature that lets the atta
Why the popup (window.open)?
- Modern browsers increasingly block third-party cookies. Opening a top-level window to the target makes cookies first‑party so Set-Cookie responses from the target will stick, enabling the cookie-bomb step even with third‑party cookie restrictions.

2024–2025 notes on cookie availability
- Chromium-based browsers still commonly send third‑party cookies unless the user or site opts out, but Safari and Firefox block most third‑party cookies by default. Plan for both: (1) use a first‑party cookie planting flow (window.open + auto-submit to a cookie-setting endpoint) and then (2) probe with a subresource that only succeeds when those cookies are sent. If third‑party cookies are blocked, move the probe into a same-site context (e.g., run the oracle in the popup via a same-site gadget and exfiltrate the boolean with postMessage or a beacon to your server).

Generic probing helper
If you already have a way to set many cookies on the target origin (first-party), you can reuse this minimal oracle against any endpoint whose success/failure leads to different network outcomes (status/MIME/redirect):

Expand All @@ -94,10 +97,44 @@ function probeError(url) {
}
```

Alternative tag oracle (stylesheet)
```js
function probeCSS(url) {
return new Promise((resolve) => {
const l = document.createElement('link');
l.rel = 'stylesheet';
l.href = url;
l.onload = () => resolve(false);
l.onerror = () => resolve(true);
document.head.appendChild(l);
});
}
```

Advanced: de Bruijn–based cookie packing (CTF-proven)
- When the app lets you control large cookie values, you can pack guesses efficiently by appending a de Bruijn sequence to each probe. This keeps per‑probe overhead small while ensuring the heavy branch is consistently heavier only for the right prefix. Example generator for |Σ| symbols of length n (fits in a cookie value):
```js
const ALPH = '_{}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
function deBruijn(k, n, alphabet=ALPH){
const a = Array(k * n).fill(0), seq=[];
(function db(t,p){
if(t>n){ if(n%p===0) for(let j=1;j<=p;j++) seq.push(a[j]); }
else { a[t]=a[t-p]; db(t+1,p); for(let j=a[t-p]+1;j<k;j++){ a[t]=j; db(t+1,t);} }
})(1,1);
return seq.map(i=>alphabet[i]).join('');
}
```
- Idea in practice: set multiple cookies whose values are prefix + deBruijn(k,n). Only when the tested prefix is correct does the server take the heavy path (e.g., extra redirect reflecting the long cookie or URL), which, combined with the cookie bloat, crosses limits and flips onerror. See a LA CTF 2024 public solver using this approach.

Tips to build the oracle
- Force the “positive” state to be heavier: chain an extra redirect only when the predicate is true, or make the redirect URL reflect unbounded user input so it grows with the guessed prefix.
- Inflate headers: repeat cookie bombing until a consistent error is observed on the “heavy” path. Servers commonly cap header size and will fail sooner when many cookies are present.
- Stabilize: fire multiple parallel cookie set operations and probe repeatedly to average out timing and caching noise.
- Bust caches and avoid pooling artifacts: add a random `#fragment` or `?r=` to probe URLs, and prefer distinct window names when using window.open loops.
- Alternate subresources: if `<script>` is filtered, try `<link rel=stylesheet>` or `<img>`. The onload/onerror boolean is the oracle; content never needs to be parsed.

Common header/URL limits (useful thresholds)
- Reverse proxies/CDNs and servers enforce different caps. As of October 2025, Cloudflare documents 128 KB total for request headers (and 16 KB URL) on the edge, so you may need more/larger cookies when targets sit behind it. Other stacks (e.g., Apache via LimitRequestFieldSize) are often closer to ~8 KB per header line and will hit errors earlier. Adjust bomb size accordingly. [Cloudflare docs show the 128 KB header limit.]

Related XS-Search tricks
- URL length based oracles (no cookies needed) can be combined or used instead when you can force a very long request target:
Expand Down Expand Up @@ -127,4 +164,6 @@ Notes
## References
- XS-Leaks: Error Events (onerror/onload as an oracle): https://xsleaks.dev/docs/attacks/error-events/
- MDN: 431 Request Header Fields Too Large (common with many cookies): https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/431
- LA CTF 2024 writeup note showing a de Bruijn cookie-bomb oracle: https://gist.github.com/arkark/5787676037003362131f30ca7c753627
- Cloudflare edge limits (URLs 16 KB, request headers 128 KB): https://developers.cloudflare.com/fundamentals/reference/connection-limits/
{{#include ../../banners/hacktricks-training.md}}