XS-Leak Victim Lab

Victime seule pour entrainement. Host prevu: https://xsleak.raltheo.fr. Tu ecris tes propres scripts attaquants depuis une autre origine.

Session et defense

Actif: Vulnerable. Cookie: SameSite=None Secure HttpOnly

Session vuepas de cookie session

Rolen/a

Projectsn/a

Flagsn/a

Login Alice Login Bob Logout Debug request

Secrets par famille

Cibles a attaquer

Famille	Secret	URL victime	Signal attaquant
Script status	`charlb-ultraskiddy-script`	`https://xsleak.raltheo.fr/api/features/charlb-ultraskiddy-script.js`	script.onload vs script.onerror
Image status	`charlb-image-bigskiddy`	`https://xsleak.raltheo.fr/media/badges/charlb-image-bigskiddy.png`	Image.onload vs Image.onerror
CSS status	`css-charlb-newbie`	`https://xsleak.raltheo.fr/theme/css-charlb-newbie.css`	link.onload vs link.onerror
Timing search	`timing-skiddy-charli`	`https://xsleak.raltheo.fr/search?q=timing-skiddy-charli`	fetch no-cors duration
Download size	`size-charlb-noobie`	`https://xsleak.raltheo.fr/download/reports/size-charlb-noobie`	load duration / response size side effect
Frame count	`frame-charlb-pasunbon`	`https://xsleak.raltheo.fr/app/projects/frame-charlb-pasunbon/dashboard`	iframe.contentWindow.length
ID attribute focus	`id-charlb-focus`	`https://xsleak.raltheo.fr/account/device-pairing#id-charlb-focus`	top window blur after iframe fragment focus
Cache probing	`cache-charlb-skid`	`https://xsleak.raltheo.fr/private/cache-primer?asset=cache-charlb-skid&key=YOUR_KEY`	warm private page, then time public cacheable asset
Redirect chain	`charlb-reward-skid`	`https://xsleak.raltheo.fr/redirect/coupon/charlb-reward-skid`	redirect chain timing / navigation behavior

Profils defense

Profil	Cookie	Headers / comportement
`vulnerable`	`SameSite=None` `Secure` `HttpOnly`	public cache oracle enabled
`cookieLax`	`SameSite=Lax` `Secure` `HttpOnly`	public cache oracle enabled
`cookieStrict`	`SameSite=Strict` `Secure` `HttpOnly`	public cache oracle enabled
`frameProtected`	`SameSite=None` `Secure` `HttpOnly`	XFO=DENY, frame-ancestors 'none', public cache oracle enabled
`corpProtected`	`SameSite=None` `Secure` `HttpOnly`	CORP=same-origin, public cache oracle enabled
`coopProtected`	`SameSite=None` `Secure` `HttpOnly`	COOP=same-origin, public cache oracle enabled
`fetchMetadata`	`SameSite=None` `Secure` `HttpOnly`	Fetch Metadata block, public cache oracle enabled
`cacheHardened`	`SameSite=None` `Secure` `HttpOnly`	public cache hardened
`hardened`	`SameSite=Strict` `Secure` `HttpOnly`	XFO=DENY, frame-ancestors 'none', COOP=same-origin, COEP=require-corp, CORP=same-origin, Fetch Metadata block, uniform responses, public cache hardened