Unvalidated redirect on team.badoo.com

#Domain affected: https://team.badoo.com/ (corp.badoo.com) #PoC (Tested on Firefox): https://team.badoo.com/%0d%0ablocked:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E {F129735} #Describe: team.badoo.com may vulnerable to CRLF injection, when we inject %0d%0a into url, the Location header, entire content after %0d%0a and '/' will appear in Response header: {F129733} Since your server is configured pretty good that i can't do attack like HTTP response splitting or redirect to external url, i decided to test XSS on it. Using Data URI scheme which is a uniform resource identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources can bypass it and triggered XSS: {F129734}