Merge pull request #1523 from HackTricks-wiki/research_update_src_pentesting-web_xs-search_cookie-bomb-+-onerror-xs-leak_20251026_082306

carlospolop · web-flow · commit b34261a5893e · 2025-11-07T07:20:56.000+01:00
Research Update Enhanced src/pentesting-web/xs-search/cookie...
diff --git a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
@@ -79,6 +79,9 @@ The following script (from a public writeup) abuses a feature that lets the atta
 Why the popup (window.open)?
 - Modern browsers increasingly block third-party cookies. Opening a top-level window to the target makes cookies first‑party so Set-Cookie responses from the target will stick, enabling the cookie-bomb step even with third‑party cookie restrictions.
 
+2024–2025 notes on cookie availability
+- Chromium-based browsers still commonly send third‑party cookies unless the user or site opts out, but Safari and Firefox block most third‑party cookies by default. Plan for both: (1) use a first‑party cookie planting flow (window.open + auto-submit to a cookie-setting endpoint) and then (2) probe with a subresource that only succeeds when those cookies are sent. If third‑party cookies are blocked, move the probe into a same-site context (e.g., run the oracle in the popup via a same-site gadget and exfiltrate the boolean with postMessage or a beacon to your server).
+
 Generic probing helper
 If you already have a way to set many cookies on the target origin (first-party), you can reuse this minimal oracle against any endpoint whose success/failure leads to different network outcomes (status/MIME/redirect):
 
@@ -94,10 +97,44 @@ function probeError(url) {
 }
 ```
 
+Alternative tag oracle (stylesheet)
+```js
+function probeCSS(url) {
+  return new Promise((resolve) => {
+    const l = document.createElement('link');
+    l.rel = 'stylesheet';
+    l.href = url;
+    l.onload = () => resolve(false);
+    l.onerror = () => resolve(true);
+    document.head.appendChild(l);
+  });
+}
+```
+
+Advanced: de Bruijn–based cookie packing (CTF-proven)
+- When the app lets you control large cookie values, you can pack guesses efficiently by appending a de Bruijn sequence to each probe. This keeps per‑probe overhead small while ensuring the heavy branch is consistently heavier only for the right prefix. Example generator for |Σ| symbols of length n (fits in a cookie value):
+```js
+const ALPH = '_{}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+function deBruijn(k, n, alphabet=ALPH){
+  const a = Array(k * n).fill(0), seq=[];
+  (function db(t,p){
+    if(t>n){ if(n%p===0) for(let j=1;j<=p;j++) seq.push(a[j]); }
+    else { a[t]=a[t-p]; db(t+1,p); for(let j=a[t-p]+1;j<k;j++){ a[t]=j; db(t+1,t);} }
+  })(1,1);
+  return seq.map(i=>alphabet[i]).join('');
+}
+```
+- Idea in practice: set multiple cookies whose values are prefix + deBruijn(k,n). Only when the tested prefix is correct does the server take the heavy path (e.g., extra redirect reflecting the long cookie or URL), which, combined with the cookie bloat, crosses limits and flips onerror. See a LA CTF 2024 public solver using this approach.
+
 Tips to build the oracle
 - Force the “positive” state to be heavier: chain an extra redirect only when the predicate is true, or make the redirect URL reflect unbounded user input so it grows with the guessed prefix.
 - Inflate headers: repeat cookie bombing until a consistent error is observed on the “heavy” path. Servers commonly cap header size and will fail sooner when many cookies are present.
 - Stabilize: fire multiple parallel cookie set operations and probe repeatedly to average out timing and caching noise.
+- Bust caches and avoid pooling artifacts: add a random `#fragment` or `?r=` to probe URLs, and prefer distinct window names when using window.open loops.
+- Alternate subresources: if `<script>` is filtered, try `<link rel=stylesheet>` or `<img>`. The onload/onerror boolean is the oracle; content never needs to be parsed.
+
+Common header/URL limits (useful thresholds)
+- Reverse proxies/CDNs and servers enforce different caps. As of October 2025, Cloudflare documents 128 KB total for request headers (and 16 KB URL) on the edge, so you may need more/larger cookies when targets sit behind it. Other stacks (e.g., Apache via LimitRequestFieldSize) are often closer to ~8 KB per header line and will hit errors earlier. Adjust bomb size accordingly. [Cloudflare docs show the 128 KB header limit.]
 
 Related XS-Search tricks
 - URL length based oracles (no cookies needed) can be combined or used instead when you can force a very long request target:
@@ -127,4 +164,6 @@ Notes
 ## References
 - XS-Leaks: Error Events (onerror/onload as an oracle): https://xsleaks.dev/docs/attacks/error-events/
 - MDN: 431 Request Header Fields Too Large (common with many cookies): https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/431
+- LA CTF 2024 writeup note showing a de Bruijn cookie-bomb oracle: https://gist.github.com/arkark/5787676037003362131f30ca7c753627
+- Cloudflare edge limits (URLs 16 KB, request headers 128 KB): https://developers.cloudflare.com/fundamentals/reference/connection-limits/
 {{#include ../../banners/hacktricks-training.md}}
