upgrade Aspen on inside.gratipay.com to pick up CR injection fix
High
G
Gratipay
Submitted None
Actions:
Reported by
valievkarim
Vulnerability Details
Technical details and impact analysis
1) Using IE11, open DevTools and start network capture
2) visit the following URL:
http://inside.gratipay.com/assets/%0dSet-Cookie:%20qwe=qwe%0dq
3) find a 'qwe' cookie set in the response
There is a 0x0d character injected, which can be used as a header
delimiter in IE.
To see this behaviour using Curl, you can use the following command:
curl -s -v 'http://inside.gratipay.com/assets/%0dSet-Cookie:%20qwe=qwe%0dq' 2>&1|less
Screenshots of Curl output and DevTools are attached.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$40.00
Submitted
Weakness
Cross-site Scripting (XSS) - Generic