Support HackTricks and get benefits!
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
**The best resource to learn XS-Search is** [**https://xsleaks.dev/**](https://xsleaks.dev)
# XS-Search Time attack
Basically, you exploit a **CSRF vulnerability** to make a specific user access some **information** that the **victim can access** but you can't. Then, you **check** the **time** it take the request to be responded and depending on that you can know if the content was correctly accessed or not.
For example, imagine that the **admin of a web** page can **access all** the inside the **webfiles** service and **you only** can access **yours**, and you want to know the **content** of a **file** that starts with the string "_**flag**_".
There is a **CSRF** vulnerability in the **seach by content** function and you can make the **admin visit any page**. Then, you could make the admin visit a malicious web server (yours) that will **exploit** the **CSRF** and will make the victim **search for** the file that starts with "_**flag**_". The attacker will make a **loop** so it will make the victim **search for every possibility** in: _flagX_. Then, if a character took **more time** that the rest, you can **asume** that it was the **correct** one and you can start a **new loop** with "_flag{X_" until you get the flag.
That is the **idea** but in the **real world** you need queries that retrive content take **much more time** that the queries that doesn't return anything.
For more information you can read:
* [https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549](https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549)
* [https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks](https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks)
# XS-Search - Iframe
Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.
You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF like in the prevous situation). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
For example:
1. **URL1**: www.attacker.com/xssearch#try1
2. **URL2**: www.attacker.com/xssearch#try2
If the first URL was **successfully loaded**, then, when **changing** the **hash** part of the URL the **onload** event **won't be triggered** again. But **if** the page had some kind of **error** when **loading**, then, the **onload** event will be **triggered again**.
Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.
If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without meassuring the time.
## Iframe Chrome XSS Auditor
Imagine the **same situation as in the Timing attack method** and you also know that the **admin** is using a **Chrome browser** (for example, Chrome-headless) **with Chrome XSS Auditor.**
Then, you can use **iframes** to make the victim **search** for the page containing "_**flagX**_" (beeing X **any** possible **character**)inside a loop, and you also add to the URL inside the iframes a **fake parameter** that **contains javascript code that will only appear when a valid content is retrived**.
For example, if when you **search for** the **content **_**"my file"**_ the web server responds with a page that **includes** this **javascript** code:
```
```
If you send a query like:
```
www.victim.com/search?q=my+file&fake_xss=