Http Response Splitting - Validate link

ID H1:95981
Type hackerone
Reporter gerben_javado
Modified 2015-11-15T12:21:01


So i found a http response splitting issue in your website. If we visit the following url:

We will get a response header that says:

Set-Cookie: verify_token=sometoken; expires=Wed, 28 Oct 2015 23:31:35 GMT;; path=/; secure

However this value doesnt seem to be urlencoded which gives the attacker the option to create his own response header. For example if you were to visit:;%0a

The following response header will be included in the response: (shameless plug)

Set-Cookie: GerbenJavado=Awesome;

Attacker Scenario

Since this attack doesnt require any user interaction to be exploited, a attacker could do lots of fun stuff using this vulnerability by including a malicious url in a Iframe or even in a IMG tag.

  • As the example shows the attacker can set cookies for the user on
  • The attacker can disable or bypass security headers placed by the server

One restricition the attacker has is that the request is a redirect. This made it for me impossible to XSS attacks or Cache Poisining. Maybe you guys could look a bit into this further. However i would argue that because of the fact user interaction is not needed and the fact that the attacker can set his own headers (including cookies) the attack is fairly scary.