Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

[gratipay.com] Cross Site Tracing

G
Gratipay
Submitted None
Actions:
View on HackerOne
Reported by ahsan

Vulnerability Details

Technical details and impact analysis

Information Disclosure
**Hello team,** I was checking if TRACE method is enabled on gratipay.com or not? I opened up my terminal (CLI) and executed this command: curl -v -X TRACE http://gratipay.com The response may not actually shows it is vulnerable, but it is not as well a message for properly configured "no" to Cross Site Tracing attack. And it showed up this response: ``` * Trying 54.235.170.226... * Connected to gratipay.com (54.235.170.226) port 80 (#0) > TRACE / HTTP/1.1 > Host: gratipay.com > User-Agent: curl/7.49.1 > Accept: */* > < HTTP/1.1 302 Found < Server: gunicorn < Date: Thu, 21 Jul 2016 09:15:54 GMT < X-Frame-Options: SAMEORIGIN < Cache-Control: no-cache < X-Xss-Protection: 1; mode=block < Location: https://gratipay.com/ < X-Content-Type-Options: nosniff < X-Gratipay-Version: 1977 < Via: 1.1 vegur < X-Cache: MISS from cache1 < X-Cache-Lookup: NONE from cache1:8080 < Transfer-Encoding: chunked < Connection: keep-alive < * Connection #0 to host gratipay.com left intact ``` **While, it should show this error** ``` <html> <head><title>405 Not Allowed</title></head> <body bgcolor="white"> <center><h1>405 Not Allowed</h1></center> <hr><center>nginx</center> </body> </html> ``` ##PoC We can inject headers in the response: _Command:_ `curl -v -X TRACE -H "Header: value=Testing" http://gratipay.com/` _Response:_ ``` * Trying 54.235.170.226... * Connected to gratipay.com (54.235.170.226) port 80 (#0) > TRACE / HTTP/1.1 > Host: gratipay.com > User-Agent: curl/7.49.1 > Accept: */* > Header: value=Testing --> *** YOU CAN SEE HEADER INJECTED*** > < HTTP/1.1 302 Found < Server: gunicorn < Date: Thu, 21 Jul 2016 09:17:01 GMT < X-Frame-Options: SAMEORIGIN < Cache-Control: no-cache < X-Xss-Protection: 1; mode=block < Location: https://gratipay.com/ < X-Content-Type-Options: nosniff < X-Gratipay-Version: 1977 < Via: 1.1 vegur < X-Cache: MISS from cache1 < X-Cache-Lookup: NONE from cache1:8080 < Transfer-Encoding: chunked < Connection: keep-alive < * Connection #0 to host gratipay.com left intact ``` For more information: https://www.owasp.org/index.php/Cross_Site_Tracing *Cheers, Ahsan*

Report Details

Additional information and metadata

State

Closed

Substate

Informative

Submitted

Weakness

Information Disclosure