# XS-Search

**The best resource to learn XS-Search is** [**https://xsleaks.dev/**](https://xsleaks.dev/)​

## XS-Search Time attack <a href="#xs-search-time-attack" id="xs-search-time-attack"></a>

Basically, you exploit a **CSRF vulnerability** to make a specific user access some **information** that the **victim can access** but you can't. Then, you **check** the **time** it take the request to be responded and depending on that you can know if the content was correctly accessed or not.

For example, imagine that the **admin of a web** page can **access all** the inside the **webfiles** service and **you only** can access **yours**, and you want to know the **content** of a **file** that starts with the string "***flag***".

There is a **CSRF** vulnerability in the **seach by content** function and you can make the **admin visit any page**. Then, you could make the admin visit a malicious web server (yours) that will **exploit** the **CSRF** and will make the victim **search for** the file that starts with "***flag***". The attacker will make a **loop** so it will make the victim **search for every possibility** in: *flagX*. Then, if a character took **more time** that the rest, you can **asume** that it was the **correct** one and you can start a **new loop** with "*flag{X*" until you get the flag.

That is the **idea** but in the **real world** you need queries that retrive content take **much more time** that the queries that doesn't return anything.

For more information you can read:

*
*

## XS-Search - Iframe <a href="#xs-search-iframe" id="xs-search-iframe"></a>

Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.

You can **make the victim search** for the file that contains "***flag***" using an **Iframe** (exploiting a CSRF like in the prevous situation). Inside the Iframe you know that the ***onload event*** will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.

For example:

1. **URL1**: [www.attacker.com/xssearch#try1](http://www.attacker.com/xssearch#try1)
2. **URL2**: [www.attacker.com/xssearch#try2](http://www.attacker.com/xssearch#try2)

If the first URL was **successfully loaded**, then, when **changing** the **hash** part of the URL the **onload** event **won't be triggered** again. But **if** the page had some kind of **error** when **loading**, then, the **onload** event will be **triggered again**.

Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.

If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without meassuring the time.

### Iframe Chrome XSS Auditor <a href="#iframe-chrome-xss-auditor" id="iframe-chrome-xss-auditor"></a>

Imagine the **same situation as in the Timing attack method** and you also know that the **admin** is using a **Chrome browser** (for example, Chrome-headless) **with Chrome XSS Auditor.**

Then, you can use **iframes** to make the victim **search** for the page containing "***flagX***" (beeing X **any** possible **character**)inside a loop, and you also add to the URL inside the iframes a **fake parameter** that **contains javascript code that will only appear when a valid content is retrived**.

For example, if when you **search for** the **content** ***"my file"*** the web server responds with a page that **includes** this **javascript** code:

If you send a query like:

```
www.victim.com/search?q=my+file&fake_xss=​​
```

​

## More information <a href="#more-information" id="more-information"></a>

​<https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle>​


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pwc-3.gitbook.io/pwc/ji-shu/webpentest2/untitled-35.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.