alt Hacker NewsWhere would this happen? I have never seen an API reflect a secret back but I guess it's possible? perhaps some sort of token creation endpoint?
Replies
Say, an endpoint tries to be helpful and responds with “no such user: foo” instead of “no such user”. Or, as a sibling comment suggests, any create-with-properties or set-property endpoint paired with a get-propety one also means game over.
Relatedly, a common exploitation target for black-hat SEO and even XSS is search pages that echo back the user’s search request.
It depends on where you allow the substitution to occur in the request. It's basically "the big bug class" you have to watch out for in this design.
This is effectively what happened with the BotGhost vulnerability a few months back:
HTTP Header Injection or HTTP Response Splitting is a thing.
How does the API know that it's a secret, though? That's what's not clear to me from the blog post. Can I e.g. create a customer named PLACEHOLDER and get a customer actually named SECRET?