Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 25.09.2025
Last edited by cbay - 25.09.2025

FS#216 - Client-Side Desync Http Request Smuggling in https://admin.alwaysdata.com/site/resolver/

#Client-Side Desync Http Request Smuggling in https://admin.alwaysdata.com/site/resolver/

Severity(Critical)

Hello Team, I hope you are doing well. While, Researching in your domain, I found Client-side desync in https://admin.alwaysdata.com/site/resolver/ vulnerability in your domain.

#Steps to Reproduce:

1. Go to https://admin.alwaysdata.com/site/resolver/ and Capture the request in Burp.
2. Paste the code to perform Client-side desync ( Code is Below):

POST /site/resolver/ HTTP/1.1
Host: admin.alwaysdata.com
Cookie: csrftoken=; mtm_consent=; roundcube_sessid=*; roundcube_sessauth=*; django_language=fr; sessionid= Content-Type: text/plain
Content-Length: 104
Transfer-Encoding: chunked

0

GET /en/ HTTP/1.1
Host: www.alwaysdata.com Content-Type: text/plain

{
"addresses":["<script>alert(1)</script>"
]

}

3. Run this Request and you can see 2 Responses occurs.
4. Send this Request multiple time and see it's Caching the request( Screenshot attached Below).

#Video is attached below for confirming Client-Side Desync Http Request Smuggling

# Impacts of client-side desync:

Inject malicious scripts: Smuggle a request that injects a malicious script into a victim's session.

Hijack the session: Use the injected script to steal the victim's session cookie, allowing the attacker to impersonate the victim.

Force authenticated actions: The attacker can compel the victim's browser to perform unauthorized actions on their behalf.

Web cache poisoning
If the vulnerable endpoint involves a web cache, a CSD can be leveraged to poison it.

Redirect users: An attacker could poison the cache to redirect users to a malicious site, potentially leading to phishing or other scams.

Sensitive information disclosure
A CSD can force a victim's browser to send a request that leaks sensitive information, such as their session cookies

Denial of service (DoS)
Overwhelming a server with malformed or inconsistent requests can cause it to become unstable or unresponsive, leading to a denial-of-service condition.

Thank You,

Waleed Anwar

Closed by  cbay
25.09.2025 15:42
Reason for closing:  Invalid
25.09.2025: A request to reopen the task has been made. Reason for request: In video, you can see that https://admin.alwaysdata.com/jsi18n/ response is misinterpretating with www.alwaysdata.com, attacker can redirect victim to a phishing page to steal the data

Caching the Response

Admin
cbay commented on 25.09.2025 15:42

Hello,

3. Run this Request and you can see 2 Responses occurs.

It's because you have 2 requests, not one (one POST and one GET).

4. Send this Request multiple time and see it's Caching the request( Screenshot attached Below).

The GET is cached, which is normal.

The rest of your issue doesn't make any sense, sorry. Your video shows no vulnerability whatsoever.

Kind regards,

Remove the second request, it show's 2 responses

In video, you can see that https://admin.alwaysdata.com/jsi18n/ response is misinterpretating with www.alwaysdata.com, attacker can redirect victim to a phishing page to steal the data

Admin
cbay commented on 25.09.2025 15:48

Then send a video where you manage to redirect a victim to a phishing page then.

There is a Client Side Desync appear in the request, you can remove the GET request to see it's generating 2 responses with 1 request

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing