| शीर्षक | SourceCodester SourceCodester KLiK Social Media Website v1.0.1 CRLF Injection |
|---|
| विवरण | HTTP header injection (CRLF injection) was discovered in dbh.inc.php during security testing. By manipulating the blog parameter in HTTP GET requests, an unauthenticated attacker can inject CRLF sequences into the Location response header. This allows the attacker to perform HTTP response splitting, set arbitrary cookies (session fixation), or inject malicious scripts (XSS) into the victim's browser.
Identify a vulnerable endpoint where blog parameter reflects into Location header.
Craft a malicious GET request with CRLF characters encoded as %0d%0a:
GET /includes/dbh.inc.php?blog=1%0d%0aSet-Cookie:%20session=evil%0d%0aX-IGNORE: HTTP/1.1
The server responds with an injected Set-Cookie header.
For XSS, inject %0d%0a%0d%0a followed by JavaScript:
GET /includes/dbh.inc.php?blog=1%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
The browser parses the injected response and executes the script. |
|---|
| स्रोत | ⚠️ https://github.com/msaad1999/KLiK-SocialMediaWebsite |
|---|
| उपयोगकर्ता | g111 (UID 92409) |
|---|
| सबमिशन | 27/04/2026 03:45 AM (1 महीना पहले) |
|---|
| संयम | 24/05/2026 08:52 AM (27 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 365401 [KLiK SocialMediaWebsite 1.0 HTTP GET Request Parameter अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|