Research Update Enhanced src/pentesting-web/xs-search/event-...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL:
• Blog Title: Research Update Enhanced src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
• Suggested Section: Research

🎯 Content Summary

Research Update for src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md

This PR contains automated research updates including:

• Latest security vulnerabilities and attack vectors
• Updated techniques and tools
• Enhanced explanations and examples
• Additional references and resources

Generated by: HackTricks Research Agent
Timestamp: 2026-04-10 13:29:03 UTC

Tool usage

• apply_patch: 1
• brave_search: 7
• exec: 17
• search_google_web: 7
• task_steps_manager: ...

🔧 Technical Details

Research update for HackTricks content

🤖 Agent Actions

I’m reading the target page first, then I’ll inspect adjacent HackTricks content so the update stays specific to XS-Search event-loop blocking and lazy-image timing without duplicating generic XS-Search material.
The page is narrowly scoped and still useful, but it currently reads like a single exploit note. I’m checking nearby XS-Search pages now to avoid repeating generic timing or connection-pool material and to identify the missing high-value caveats.
I’ve separated what already exists in HackTricks from what this page still needs. Next I’m validating the modern state of this technique against recent XS-Leaks documentation, browser lazy-loading behavior, and writeups around the original challenge so the additions are precise rather than generic.
The first pass hit a local dependency issue while extracting pages, so I’m switching to plain curl/regex-based retrieval. The research target is unchanged: confirm browser lazy-loading behavior, challenge-specific constraints, and the event-loop timing primitive from primary or close-to-primary sources.
The useful new facts are converging: this technique is still valid, but it is highly environment-dependent. The key modern caveats are native lazy-loading heuristics, JavaScript-enabled requirements, and browser policies like ForceLoadAtTop that can remove load-on-scroll signals.
I have enough material to edit now. The update will stay narrow: clarify the oracle mechanics, add the operational caveats that actually determine whether this still works in modern browsers, and end with a small references section using only the sources I relied on.
The file is edited. I’m verifying the exact output now, including internal refs and the placement of the new ## References section as the last content section before the closing banner include.
Updated event-loop-blocking-+-lazy-images.md.

I kept the page focused on this specific XS-Search variant and added:

• A clearer explanation of the Boolean oracle: lazy image fetched vs not fetched, then converted into a timing leak.
• Practical caveats that matter in modern browsers: Chromium lazy-load thresholds, headless vs headful calibration, loading="lazy" only deferring when JavaScript is enabled, and cache effects.
• Reliability notes on stabilizing the oracle with multiple images, cache-busters, repeated measurements, and threshold recalibration.
• A short note about modern load-on-scroll defenses such as Document-Policy: force-load-at-top.
• A final ## References section at the end with 2 directly cited sources.

Research URLs used:

• https://blog.huli.tw/2022/10/05/en/sekaictf2022-safelist-xsleak/
• https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/
• https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/
• https://xsleaks.dev/docs/defenses/opt-in/document-policies/
• https://xsleaks.dev/docs/attacks/experiments/scroll-to-text-fragment/
• https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/img
• https://developer.mozilla.org/en-US/docs/Web/Performance/Lazy_loading
• https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XS-Leaks
• https://web.dev/articles/browser-level-image-lazy-loading
• https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/safelist/solution
• https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html

Verification: checked the rendered content structure with sed, reviewed the git diff, and confirmed ## References is the last heading in the file.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post:

Content Categories: Based on the analysis, this content was categorized under "Research".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0