Day 39/100 Hack and Improvement

Day 39 comes with Android vulnerabilities, a curious report about CRLF and Stored XSS, and a weekly report with bugs.

Finding common vulnerabilities in Android

From Rajesh Ranjan. For this writeup Click here.

CRLF and Stored XSS

From Sam (CoffeeJunkie). Last week I spent a good amount of time studying and practicing different ways to achieve XSS due to one of my targets had a HTML Injection, but, I wanted to escalate it to XSS. Therefore, this time while reading things in “hacktivity” at hackerone I found this writeup of CRLF injection to Stored XSS. Furthermore, as an update of the goal of three reports per week. I didn’t achieve it this time, but this was the bug that I found.

Now, let’s get into the report found at Hackerone.

The attacker found a CRLF injection in the following url:

# Encoded URL
https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC
# Decoded URL
https://ton.twitter.com/1.1/ton/data/dm/x/嘊嘍set-cookie: test=test; Domain=.twitter.com; Path=/; Expires=Sat, 15-Dec-2018 09:45:55 UTC

As you can see in the decoded URL, the attacker was able to set a cookie due to HTTP Splitting by the CRLF injection.

Later on, the attacker found a great chance to upload a jpg picture with an XSS payload which by replacing the jpg extension by html xss will pop up. But how these two bugs can be chained? The attack can be chained by injecting the attacker auth_token cookie. In that way the the injected image will appear in the victim side causing the XSS to occur.

FULL report [here]https://hackerone.com/reports/191380)