| عنوان | SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection |
|---|
| الوصف | HTTP header injection (CRLF injection) was discovered in dbh.inc.php during security testing. By manipulating the blog parameter in HTTP GET requests, an unauthenticated attacker can inject CRLF sequences into the Location response header. This allows the attacker to perform HTTP response splitting, set arbitrary cookies (session fixation), or inject malicious scripts (XSS) into the victim's browser.
Identify a vulnerable endpoint where blog parameter reflects into Location header.
Craft a malicious GET request with CRLF characters encoded as %0d%0a:
GET /includes/dbh.inc.php?blog=1%0d%0aSet-Cookie:%20session=evil%0d%0aX-IGNORE: HTTP/1.1
The server responds with an injected Set-Cookie header.
For XSS, inject %0d%0a%0d%0a followed by JavaScript:
GET /includes/dbh.inc.php?blog=1%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
The browser parses the injected response and executes the script. |
|---|
| المصدر | ⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite |
|---|
| المستخدم | g111 (UID 92409) |
|---|
| ارسال | 27/04/2026 03:45 AM (1 شهر منذ) |
|---|
| الاعتدال | 24/05/2026 08:52 AM (27 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|