ID H1:191380 Type hackerone Reporter seifelsallamy Modified 2017-07-05T23:54:50
Description
Hey,
[1] CRLF:
It's similar to #52042 but weaker
to reproduce go to:
https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC
you will find that test cookie with the value test has been added to your cookies
[2] XSS:
XSS can occur by injecting a .jpg image
and uploading it to twitter
then changing the extension from .jpg to .html
to reproduce open messages and start a conversation
upload this image F143743 and send it in the conversation
open the image source url it will look alike
remove the last part :large
and put %23.html
XSS popup box will popup
however this image can only appear to you and to the one who you send it to because it is a private message
and to send the message you have to follow the victim and the victim has to follow you in most cases
and ton.twitter.com has no valuable cookies at all
so the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message
CRLF + XSS:
both bugs separately are too weak
but by joining them together the impact will be much more powerful
ton.twitter.com showing the image to the one who has a valid auth_token cookie with a value that has the right to see the injected image
as example the attackers' auth_token is valid and has the right to see the injected image
so if the attacker injected his own auth_token to the victim by CRLF
the injected image will appear to the victim even if the victim not following you
causing a XSS to occur
the following URL will:
[1] change auth_token value to my own auth_token value to make the injected image appear in your pc
[2] will redirect you to the injected imaged
[3] Javascript will be executed causing attacker's phishing page to appear
https://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly
Impacts
[1] phishing
[2] crlf injection (cookie injection & DOS may occur & cache poisoning )
[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com
POCS
F143759
F143760
F143761
Thank you!
{"id": "H1:191380", "hash": "7b204b2548ada1d82944701117405a17", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: CRLF and XSS stored on ton.twitter.com", "description": "Hey,\n\n###[1] CRLF:\nIt's similar to #52042 but weaker\nto reproduce go to:\nhttps://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC\n\nyou will find that `test` cookie with the value `test` has been added to your cookies\n\n###[2] XSS:\nXSS can occur by injecting a `.jpg` image \nand uploading it to twitter\nthen changing the extension from `.jpg` to `.html`\nto reproduce open messages and start a conversation \nupload this image F143743 and send it in the conversation \nopen the image source url it will look alike \n\nhttps://ton.twitter.com/i/ton/data/dm/123456789/987654321/AbCdEf.jpg:large\n\nremove the last part `:large`\nand put `%23.html`\nXSS popup box will popup\n\nhowever this image can only appear to you and to the one who you send it to because it is a private message\nand to send the message you have to follow the victim and the victim has to follow you in most cases\nand ton.twitter.com has no valuable cookies at all \nso the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message \n\n###CRLF + XSS:\nboth bugs separately are too weak \nbut by joining them together the impact will be much more powerful\nton.twitter.com showing the image to the one who has a valid `auth_token` cookie with a value that has the right to see the injected image \nas example the attackers' `auth_token` is valid and has the right to see the injected image\nso if the attacker injected his own `auth_token` to the victim by CRLF\nthe injected image will appear to the victim even if the victim not following you\ncausing a XSS to occur \nthe following URL will:\n[1] change auth_token value to my own `auth_token` value to make the injected image appear in your pc\n[2] will redirect you to the injected imaged\n[3] Javascript will be executed causing attacker's phishing page to appear\nhttps://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly\n\n###Impacts\n[1] phishing\n[2] crlf injection (cookie injection & DOS may occur & cache poisoning )\n[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com \n\n###POCS\nF143759\nF143760\nF143761\n\nThank you!", "published": "2016-12-15T11:41:34", "modified": "2017-07-05T23:54:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/191380", "reporter": "seifelsallamy", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:09", "history": [{"lastseen": "2017-08-29T13:11:22", "bulletin": {"id": "H1:191380", "hash": "0278e431a07746ccf0bec0de92f83eeb5ad6a68fab39aad3f49473e7e7be6ff1", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: CRLF and XSS stored on ton.twitter.com", "description": "Hey,\n\n###[1] CRLF:\nIt's similar to #52042 but weaker\nto reproduce go to:\nhttps://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC\n\nyou will find that `test` cookie with the value `test` has been added to your cookies\n\n###[2] XSS:\nXSS can occur by injecting a `.jpg` image \nand uploading it to twitter\nthen changing the extension from `.jpg` to `.html`\nto reproduce open messages and start a conversation \nupload this image F143743 and send it in the conversation \nopen the image source url it will look alike \n\nhttps://ton.twitter.com/i/ton/data/dm/123456789/987654321/AbCdEf.jpg:large\n\nremove the last part `:large`\nand put `%23.html`\nXSS popup box will popup\n\nhowever this image can only appear to you and to the one who you send it to because it is a private message\nand to send the message you have to follow the victim and the victim has to follow you in most cases\nand ton.twitter.com has no valuable cookies at all \nso the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message \n\n###CRLF + XSS:\nboth bugs separately are too weak \nbut by joining them together the impact will be much more powerful\nton.twitter.com showing the image to the one who has a valid `auth_token` cookie with a value that has the right to see the injected image \nas example the attackers' `auth_token` is valid and has the right to see the injected image\nso if the attacker injected his own `auth_token` to the victim by CRLF\nthe injected image will appear to the victim even if the victim not following you\ncausing a XSS to occur \nthe following URL will:\n[1] change auth_token value to my own `auth_token` value to make the injected image appear in your pc\n[2] will redirect you to the injected imaged\n[3] Javascript will be executed causing attacker's phishing page to appear\nhttps://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly\n\n###Impacts\n[1] phishing\n[2] crlf injection (cookie injection & DOS may occur & cache poisoning )\n[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com \n\n###POCS\nF143759\nF143760\nF143761\n\nThank you!", "published": "2016-12-15T11:41:34", "modified": "2017-07-05T23:54:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/191380", "reporter": "seifelsallamy", "references": [], "cvelist": [], "lastseen": "2017-08-29T13:11:22", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 6.0, "modified": "2017-08-29T13:11:22"}}, "objectVersion": "1.4", "bounty": 1680.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/twitter", "handle": "twitter", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}}, "h1reporter": {"url": "/seifelsallamy", "hacker_mediation": false, "disabled": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/804/400900931f5f9bbb690550d96771f0156a0a9dea_small.jpg?1492164268"}, "username": "seifelsallamy"}}, "differentElements": ["h1reporter"], "edition": 3}, {"lastseen": "2018-02-07T16:57:58", "bulletin": {"id": "H1:191380", "hash": "c3175a54d935c398eb667f477724e217441f17eb292a71356c234c886c8a9017", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: CRLF and XSS stored on ton.twitter.com", "description": "Hey,\n\n###[1] CRLF:\nIt's similar to #52042 but weaker\nto reproduce go to:\nhttps://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC\n\nyou will find that `test` cookie with the value `test` has been added to your cookies\n\n###[2] XSS:\nXSS can occur by injecting a `.jpg` image \nand uploading it to twitter\nthen changing the extension from `.jpg` to `.html`\nto reproduce open messages and start a conversation \nupload this image F143743 and send it in the conversation \nopen the image source url it will look alike \n\nhttps://ton.twitter.com/i/ton/data/dm/123456789/987654321/AbCdEf.jpg:large\n\nremove the last part `:large`\nand put `%23.html`\nXSS popup box will popup\n\nhowever this image can only appear to you and to the one who you send it to because it is a private message\nand to send the message you have to follow the victim and the victim has to follow you in most cases\nand ton.twitter.com has no valuable cookies at all \nso the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message \n\n###CRLF + XSS:\nboth bugs separately are too weak \nbut by joining them together the impact will be much more powerful\nton.twitter.com showing the image to the one who has a valid `auth_token` cookie with a value that has the right to see the injected image \nas example the attackers' `auth_token` is valid and has the right to see the injected image\nso if the attacker injected his own `auth_token` to the victim by CRLF\nthe injected image will appear to the victim even if the victim not following you\ncausing a XSS to occur \nthe following URL will:\n[1] change auth_token value to my own `auth_token` value to make the injected image appear in your pc\n[2] will redirect you to the injected imaged\n[3] Javascript will be executed causing attacker's phishing page to appear\nhttps://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly\n\n###Impacts\n[1] phishing\n[2] crlf injection (cookie injection & DOS may occur & cache poisoning )\n[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com \n\n###POCS\nF143759\nF143760\nF143761\n\nThank you!", "published": "2016-12-15T11:41:34", "modified": "2017-07-05T23:54:50", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/191380", "reporter": "seifelsallamy", "references": [], "cvelist": [], "lastseen": "2018-02-07T16:57:58", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 2.8, "modified": "2018-02-07T16:57:58", "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/"}}, "objectVersion": "1.4", "bounty": 1680.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/twitter", "handle": "twitter", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}}, "h1reporter": {"url": "/seifelsallamy", "hacker_mediation": false, "disabled": false, "is_me?": false, "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/804/400900931f5f9bbb690550d96771f0156a0a9dea_small.jpg?1492164268"}, "username": "seifelsallamy"}}, "differentElements": ["h1team", "h1reporter"], "edition": 4}, {"lastseen": "2017-08-22T11:09:39", "bulletin": {"id": "H1:191380", "hash": "d233a04e9cad686ce36a0b012cdac9c4296257974cbd6b2330529f0e50ffc1cb", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: CRLF and XSS stored on ton.twitter.com", "description": "Hey,\n\n###[1] CRLF:\nIt's similar to #52042 but weaker\nto reproduce go to:\nhttps://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC\n\nyou will find that `test` cookie with the value `test` has been added to your cookies\n\n###[2] XSS:\nXSS can occur by injecting a `.jpg` image \nand uploading it to twitter\nthen changing the extension from `.jpg` to `.html`\nto reproduce open messages and start a conversation \nupload this image F143743 and send it in the conversation \nopen the image source url it will look alike \n\nhttps://ton.twitter.com/i/ton/data/dm/123456789/987654321/AbCdEf.jpg:large\n\nremove the last part `:large`\nand put `%23.html`\nXSS popup box will popup\n\nhowever this image can only appear to you and to the one who you send it to because it is a private message\nand to send the message you have to follow the victim and the victim has to follow you in most cases\nand ton.twitter.com has no valuable cookies at all \nso the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message \n\n###CRLF + XSS:\nboth bugs separately are too weak \nbut by joining them together the impact will be much more powerful\nton.twitter.com showing the image to the one who has a valid `auth_token` cookie with a value that has the right to see the injected image \nas example the attackers' `auth_token` is valid and has the right to see the injected image\nso if the attacker injected his own `auth_token` to the victim by CRLF\nthe injected image will appear to the victim even if the victim not following you\ncausing a XSS to occur \nthe following URL will:\n[1] change auth_token value to my own `auth_token` value to make the injected image appear in your pc\n[2] will redirect you to the injected imaged\n[3] Javascript will be executed causing attacker's phishing page to appear\nhttps://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly\n\n###Impacts\n[1] phishing\n[2] crlf injection (cookie injection & DOS may occur & cache poisoning )\n[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com \n\n###POCS\nF143759\nF143760\nF143761\n\nThank you!", "published": "2016-12-15T11:41:34", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/191380", "reporter": "seifelsallamy", "references": [], "cvelist": [], "lastseen": "2017-08-22T11:09:39", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "bounty": 1680.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/twitter", "handle": "twitter", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}}, "h1reporter": {"url": "/seifelsallamy", "hacker_mediation": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/804/400900931f5f9bbb690550d96771f0156a0a9dea_small.jpg?1492164268"}, "disabled": false, "username": "seifelsallamy"}}, "differentElements": ["h1reporter"], "edition": 1}, {"lastseen": "2017-08-28T23:19:22", "bulletin": {"id": "H1:191380", "hash": "f30b82a94cd2c3f0c27fc3d3bcaa404e0ecf825ec7310308f5a78fbe9513f20d", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: CRLF and XSS stored on ton.twitter.com", "description": "Hey,\n\n###[1] CRLF:\nIt's similar to #52042 but weaker\nto reproduce go to:\nhttps://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC\n\nyou will find that `test` cookie with the value `test` has been added to your cookies\n\n###[2] XSS:\nXSS can occur by injecting a `.jpg` image \nand uploading it to twitter\nthen changing the extension from `.jpg` to `.html`\nto reproduce open messages and start a conversation \nupload this image F143743 and send it in the conversation \nopen the image source url it will look alike \n\nhttps://ton.twitter.com/i/ton/data/dm/123456789/987654321/AbCdEf.jpg:large\n\nremove the last part `:large`\nand put `%23.html`\nXSS popup box will popup\n\nhowever this image can only appear to you and to the one who you send it to because it is a private message\nand to send the message you have to follow the victim and the victim has to follow you in most cases\nand ton.twitter.com has no valuable cookies at all \nso the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message \n\n###CRLF + XSS:\nboth bugs separately are too weak \nbut by joining them together the impact will be much more powerful\nton.twitter.com showing the image to the one who has a valid `auth_token` cookie with a value that has the right to see the injected image \nas example the attackers' `auth_token` is valid and has the right to see the injected image\nso if the attacker injected his own `auth_token` to the victim by CRLF\nthe injected image will appear to the victim even if the victim not following you\ncausing a XSS to occur \nthe following URL will:\n[1] change auth_token value to my own `auth_token` value to make the injected image appear in your pc\n[2] will redirect you to the injected imaged\n[3] Javascript will be executed causing attacker's phishing page to appear\nhttps://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly\n\n###Impacts\n[1] phishing\n[2] crlf injection (cookie injection & DOS may occur & cache poisoning )\n[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com \n\n###POCS\nF143759\nF143760\nF143761\n\nThank you!", "published": "2016-12-15T11:41:34", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/191380", "reporter": "seifelsallamy", "references": [], "cvelist": [], "lastseen": "2017-08-28T23:19:22", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "bounty": 1680.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/twitter", "handle": "twitter", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}}, "h1reporter": {"url": "/seifelsallamy", "hacker_mediation": false, "disabled": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/804/400900931f5f9bbb690550d96771f0156a0a9dea_small.jpg?1492164268"}, "username": "seifelsallamy"}}, "differentElements": ["modified"], "edition": 2}], "viewCount": 7, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-04-19T17:34:09"}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:09"}, "vulnersScore": -0.1}, "objectVersion": "1.4", "bounty": 1680.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/twitter", "handle": "twitter", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}}, "h1reporter": {"url": "/seifelsallamy", "hacker_mediation": false, "disabled": false, "is_me?": false, "hackerone_triager": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/003/804/400900931f5f9bbb690550d96771f0156a0a9dea_small.jpg?1492164268"}, "username": "seifelsallamy"}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}
