Chrome Cache to XSS
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
More in depth details in this writeup.
The technique discussed here involves understanding the behavior and interaction of two primary cache types: the back/forward cache (bfcache) and the disk cache. The bfcache, which stores a complete snapshot of a page including the JavaScript heap, is prioritized over the disk cache for back/forward navigations due to its ability to store a more comprehensive snapshot. The disk cache, in contrast, stores resources fetched from the web without including the JavaScript heap, and is utilized for back/forward navigations to reduce communication costs. An interesting aspect of the disk cache is its inclusion of resources fetched using fetch
, meaning accessed URL resources will be rendered by the browser from the cache.
Key Points:
The bfcache has precedence over the disk cache in back/forward navigations.
To utilize a page stored in disk cache instead of bfcache, the latter must be disabled.
Disabling bfcache:
By default, Puppeteer disables bfcache, aligning with conditions listed in Chromium's documentation. One effective method to disable bfcache is through the use of RelatedActiveContentsExist
, achieved by opening a page with window.open()
that retains a reference to window.opener
.
Reproducing the behavior:
Visit a webpage, e.g.,
https://example.com
.Execute
open("http://spanote.seccon.games:3000/api/token")
, which results in a server response with a 500 status code.In the newly opened tab, navigate to
http://spanote.seccon.games:3000/
. This action caches the response ofhttp://spanote.seccon.games:3000/api/token
as a disk cache.Use
history.back()
to navigate back. The action results in the rendering of the cached JSON response on the page.
Verification that the disk cache was utilized can be confirmed through the use of DevTools in Google Chrome.
For further details on bfcache and disk cache, references can be found at web.dev on bfcache and Chromium's design documents on disk cache, respectively.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated