webPromedium

Lab 283 — PulseMetrics — XSS via HTTP Response Splitting (CRLF Injection)

hackadvisor

Task: Marketing analytics platform with /track endpoint reflecting campaign parameter into X-Campaign-ID response header unsanitized, admin bot reviewing relative URLs. Solution: CRLF injection (double %0D%0A) in campaign parameter to split HTTP response and inject XSS payload, exfiltrated admin's flag cookie via unauthenticated /api/shared-reports endpoint.

xss cookie_stealing crlf_injection admin_bot decoy_flag httponly_bypass http_response_splitting tracking_endpoint shared_reports_api relative_url

crlf_header_injectionhttp_response_splitting_to_xsscookie_exfiltration_via_apiadmin_bot_exploitation_relative_urlunauthenticated_api_exfiltration

$ ls tags/ techniques/

xss cookie_stealing crlf_injection admin_bot decoy_flag httponly_bypass http_response_splitting tracking_endpoint shared_reports_api relative_url

crlf_header_injectionhttp_response_splitting_to_xsscookie_exfiltration_via_apiadmin_bot_exploitation_relative_urlunauthenticated_api_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub, Discord, or Google to continue. No email required.

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 378 — PulseBoard — Cache Poisoning XSS via Next.js Header Misclassification— hackadvisor
[web][Pro]DevPulse — CSRF via JSON Content-Type Bypass— hackadvisor
[web][Pro]Lab 33 — PulsePress — Reflected XSS in Search Page— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor
[web][Pro]Lab 231 — PagePulse — XSS via Web Cache Poisoning— hackadvisor