diff --git a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
index 37e708b20..1d58e5280 100644
--- a/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
+++ b/src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md
@@ -148,7 +148,8 @@ if (ptrace) {
 }
 ```
 
-See also: {{#ref}}
+See also:
+{{#ref}}
 reversing-native-libraries.md
 {{#endref}}
 
@@ -178,10 +179,12 @@ apk-mitm app.apk
 
 - Tool: https://github.com/shroudedcode/apk-mitm
 - For network config CA‑trust tricks (and Android 7+ user CA trust), see:
-  {{#ref}}
+
+{{#ref}}
   make-apk-accept-ca-certificate.md
   {{#endref}}
-  {{#ref}}
+
+{{#ref}}
   install-burp-certificate.md
   {{#endref}}
 
@@ -224,4 +227,4 @@ apk-mitm app.apk
 - [Apktool install guide](https://apktool.org/docs/install)
 - [Magisk](https://github.com/topjohnwu/Magisk)
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md
index 1a45423db..2a16ab32d 100644
--- a/src/pentesting-web/http-request-smuggling/README.md
+++ b/src/pentesting-web/http-request-smuggling/README.md
@@ -370,7 +370,8 @@ Some front-ends only reuse the upstream connection when the client reuses theirs
 
 > See also connection‑state attacks, which are closely related but not technically smuggling:
 >
->{{#ref}}
+>
+{{#ref}}
 >../http-connection-request-smuggling.md
 >{{#endref}}
 
@@ -881,4 +882,3 @@ def handleResponse(req, interesting):
 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/proxy-waf-protections-bypass.md b/src/pentesting-web/proxy-waf-protections-bypass.md
index b59f57f51..7670fe2f6 100644
--- a/src/pentesting-web/proxy-waf-protections-bypass.md
+++ b/src/pentesting-web/proxy-waf-protections-bypass.md
@@ -143,7 +143,8 @@ Practical use cases:
 
 This pairs well with header-reflection cache poisoning. See:
 
-- {{#ref}}
+-
+{{#ref}}
 cache-deception/README.md
 {{#endref}}
 - [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)
@@ -245,4 +246,3 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
index 2110ed525..593242403 100644
--- a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
+++ b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
@@ -2,7 +2,24 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) is exploiting a functionality that allows the user to **insert any amount of cookies**, and then loading a file as a script knowing that the true response will be larger than the false one and then. If successful, the response is a redirect with a resulting URL longer, **too large to handle by the server so return an error http status code**. If the search fails, nothing will happen because URL is short.
+This technique combines:
+- Cookie bombing: stuffing the victim’s browser with many/large cookies for the target origin so that subsequent requests hit server/request limits (request header size, URL size in redirects, etc.).
+- Error-event oracle: probing a cross-origin endpoint with a 
 ```
 
+Why the popup (window.open)?
+- Modern browsers increasingly block third-party cookies. Opening a top-level window to the target makes cookies first‑party so Set-Cookie responses from the target will stick, enabling the cookie-bomb step even with third‑party cookie restrictions.
+
+Generic probing helper
+If you already have a way to set many cookies on the target origin (first-party), you can reuse this minimal oracle against any endpoint whose success/failure leads to different network outcomes (status/MIME/redirect):
+
+```js
+function probeError(url) {
+  return new Promise((resolve) => {
+    const s = document.createElement('script');
+    s.src = url;
+    s.onload = () => resolve(false);  // loaded successfully
+    s.onerror = () => resolve(true);  // failed (e.g., 4xx/5xx, wrong MIME, blocked)
+    document.head.appendChild(s);
+  });
+}
+```
+
+Tips to build the oracle
+- Force the “positive” state to be heavier: chain an extra redirect only when the predicate is true, or make the redirect URL reflect unbounded user input so it grows with the guessed prefix.
+- Inflate headers: repeat cookie bombing until a consistent error is observed on the “heavy” path. Servers commonly cap header size and will fail sooner when many cookies are present.
+- Stabilize: fire multiple parallel cookie set operations and probe repeatedly to average out timing and caching noise.
+
+Related XS-Search tricks
+- URL length based oracles (no cookies needed) can be combined or used instead when you can force a very long request target:
+
+{{#ref}}
+url-max-length-client-side.md
+{{#endref}}
+
+Defenses and hardening
+- Make success/failure responses indistinguishable:
+  - Avoid conditional redirects or large differences in response size between states. Return the same status, same content type, and similar body length regardless of state.
+- Block cross-site subresource probes:
+  - SameSite cookies: set sensitive cookies to SameSite=Lax or Strict so subresource requests like