Badoo: Unvalidated redirect on

ID H1:177624
Type hackerone
Reporter tsug0d
Modified 2016-12-03T12:22:31


Domain affected: (

PoC (Tested on Firefox):;text,%3Csvg%2fonload%3Dprompt%281%29%3E {F129735}

Describe: may vulnerable to CRLF injection, when we inject %0d%0a into url, the Location header, entire content after %0d%0a and '/' will appear in Response header: {F129733}

Since your server is configured pretty good that i can't do attack like HTTP response splitting or redirect to external url, i decided to test XSS on it.

Using Data URI scheme which is a uniform resource identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources can bypass it and triggered XSS: {F129734}