Binary.com: Http Response Splitting - Validate link

2015-10-26T23:48:50
ID H1:95981
Type hackerone
Reporter gerben_javado
Modified 2015-11-15T12:21:01

Description

So i found a http response splitting issue in your website. If we visit the following url:

https://www.binary.com/user/validate_link?step=account&verify_token=sometoken

We will get a response header that says:

Set-Cookie: verify_token=sometoken; expires=Wed, 28 Oct 2015 23:31:35 GMT; domain=.binary.com; path=/; secure

However this value doesnt seem to be urlencoded which gives the attacker the option to create his own response header. For example if you were to visit:

https://www.binary.com/user/validate_link?step=account&verify_token=%0aSet-Cookie:%20GerbenJavado=Awesome;%0a

The following response header will be included in the response: (shameless plug)

Set-Cookie: GerbenJavado=Awesome;

Attacker Scenario

Since this attack doesnt require any user interaction to be exploited, a attacker could do lots of fun stuff using this vulnerability by including a malicious url in a Iframe or even in a IMG tag.

  • As the example shows the attacker can set cookies for the user on binary.com
  • The attacker can disable or bypass security headers placed by the server

One restricition the attacker has is that the request is a redirect. This made it for me impossible to XSS attacks or Cache Poisining. Maybe you guys could look a bit into this further. However i would argue that because of the fact user interaction is not needed and the fact that the attacker can set his own headers (including cookies) the attack is fairly scary.