Shopify: HTTP-Response-Splitting on v.shopify.com

2015-12-22T09:03:44
ID H1:106427
Type hackerone
Reporter krankopwnz
Modified 2016-01-17T19:20:36

Description

I discovered a HTTP-Response-Splitting issue on v.shopify.com

Steps to reproduce: Call the following URL in any browser and catch the response ( e.g. with burp ) https://v.shopify.com/last_shop?shop=krankopwnz.myshopify.com%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>deface</html>

When you look at screenshot 1 in attachments, you can see that the response contains 2 headers.

According to OWASP, this could be used for " Cross-User Defacement, Cache Poisoning, Cross-site Scripting (XSS) and Page Hijacking." ( https://www.owasp.org/index.php/HTTP_Response_Splitting )

You could convince victims via social engineering to click the provided link, which can contain a cloned login-page of shopify for example. If he sits behind a proxy, which caches the responses the following users will see your evil login-page when calling that address.

A fix would be to disallow line-breaks and any non printable characters in the "shop"-parameter