Day 39 comes with Android vulnerabilities, a curious report about CRLF and Stored XSS, and a weekly report with bugs.
Finding common vulnerabilities in Android
CRLF and Stored XSS
From Sam (CoffeeJunkie). Last week I spent a good amount of time studying and practicing different ways to achieve XSS due to one of my targets had a HTML Injection, but, I wanted to escalate it to XSS. Therefore, this time while reading things in “hacktivity” at hackerone I found this writeup of CRLF injection to Stored XSS. Furthermore, as an update of the goal of three reports per week. I didn’t achieve it this time, but this was the bug that I found.
Now, let’s get into the report found at Hackerone.
The attacker found a CRLF injection in the following url:
# Encoded URL https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC # Decoded URL https://ton.twitter.com/1.1/ton/data/dm/x/嘊嘍set-cookie: test=test; Domain=.twitter.com; Path=/; Expires=Sat, 15-Dec-2018 09:45:55 UTC
As you can see in the decoded URL, the attacker was able to set a cookie due to HTTP Splitting by the CRLF injection.
Later on, the attacker found a great chance to upload a
jpg picture with an XSS payload which by replacing the
jpg extension by
html xss will pop up. But how these two bugs can be chained? The attack can be chained by injecting the attacker
auth_token cookie. In that way the the injected image will appear in the victim side causing the XSS to occur.
FULL report [here]https://hackerone.com/reports/191380)