Twitter: CRLF and XSS stored on

ID H1:191380
Type hackerone
Reporter seifelsallamy
Modified 2017-07-05T23:54:50



[1] CRLF:

It's similar to #52042 but weaker to reproduce go to:

you will find that test cookie with the value test has been added to your cookies

[2] XSS:

XSS can occur by injecting a .jpg image and uploading it to twitter then changing the extension from .jpg to .html to reproduce open messages and start a conversation upload this image F143743 and send it in the conversation open the image source url it will look alike

remove the last part :large and put %23.html XSS popup box will popup

however this image can only appear to you and to the one who you send it to because it is a private message and to send the message you have to follow the victim and the victim has to follow you in most cases and has no valuable cookies at all so the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message


both bugs separately are too weak but by joining them together the impact will be much more powerful showing the image to the one who has a valid auth_token cookie with a value that has the right to see the injected image as example the attackers' auth_token is valid and has the right to see the injected image so if the attacker injected his own auth_token to the victim by CRLF the injected image will appear to the victim even if the victim not following you causing a XSS to occur the following URL will: [1] change auth_token value to my own auth_token value to make the injected image appear in your pc [2] will redirect you to the injected imaged [3] Javascript will be executed causing attacker's phishing page to appear


[1] phishing [2] crlf injection (cookie injection & DOS may occur & cache poisoning ) [3] under certain circumstances it may lead to bypassing CSP in


F143759 F143760 F143761

Thank you!