misconfig of nginx lead to crlf injection
In nginx, $uri is url decoded, which will decode %0d%0a
to CRLF.
code:
return 301 http://<%= @server_name[0].gsub(/^www\./, '') %>$uri;
A request to:
http://www.test.com/%0d%0afake_header:123%0d%0a%0d%0afake_content
CRLF Injection allows an attacker to inject client-side malicious scripts (E.g. Cross site scripting) to disclose information. An attacker can gain sensitive information like CSRF token and allow the attacker to set fake cookies.