TrackHub uses raw HTTP headers to set language preferences and track referrers. User input is injected directly into HTTP response headers without sanitizing CRLF characters (\r\n).
The /api/set-language?lang=X endpoint sets a cookie with your language preference. The lang value is placed directly in the Set-Cookie header.
The /api/track?ref=X endpoint puts the ref value in a custom X-Referrer header.
Inject %0d%0a (URL-encoded \r\n) to add custom headers or Set-Cookie directives:
/api/set-language?lang=en%0d%0aSet-Cookie:%20role=admin
This injects a second Set-Cookie header, setting role=admin. Then access /api/admin/flag with the admin cookie.
API:
GET /api/set-language?lang=X — CRLF in lang paramGET /api/track?ref=X — CRLF in ref paramGET /api/admin/flag — needs cookie role=admin