search
GitHubTwitterExegolTools

🛠️CRLF injection

hashtag
Theory

CRLF represents termination of line:

  • CR = Carriage Return ()

  • LF = Line Feed ()

Windows and the protocol HTTP uses the CRLF however, Linux doesn't (it only uses LF). The CRLF injection is a type of attack where an attacker injects a termination of line into an application (via HTTP or URL) to provoke other types of vulnerability (HTTP Response Splitting, Log Injection...).

hashtag
Practice

hashtag
HTTP Response Splitting

hashtag
Reconnaissance

Important: before even considering a CRLF injection, testers have to find any data that is sent in a request and reflected in the response (that follows the previous request). An example by SecureFlagarrow-up-right considers an application that in case of error (/?error=Page+Not+found), redirects the user using the Location HTTP header while reflecting the value of the error parameter:

# Response (due to an application error)
HTTP/1.1 301 Moved Permanently
Location: /index?error=Page+Not+Found

From cases similar to this one, testers have to find a place where CRLF injection is possible, such as:

  • URL: https://example.com/<CRLF_injection>

  • Query parameter: https://example.com/lang=en<CRFL_injection>

Upon using a CRLF injection, testers can inject arbitrary HTTP headers.

Filter bypass: one can bypass filtersarrow-up-right using UTF-8 encoding

  • CRLF = %E5%98%8A%E5%98%8D

hashtag
Session fixation

A good example of session fixation (with CRLF injection) comes from the CVE-2017-5868 and is explained in this postarrow-up-right.

  1. An attacker notice that the parameter __session_start in OpenVPN is vulnerable to CRLF injection.

  2. The attacker crafts an URL by setting a cookie:

  3. The attacker sends this crafted URL to a victim.

  4. The victim opens the URL and authenticates itself. Once authenticated, the cookie will be associated with its session.

  5. The attacker can now use the cookie with the fixed session to access the victim's profile.

hashtag
Cross-Site Scripting (XSS)

PayloadsAllTheThingsarrow-up-right has an interesting payload to write a document, and therefore include an XSS.

Requested page:

HTTP response:

hashtag
Resources

LogoWhat Are CRLF Injection Attacks | AcunetixAcunetixchevron-right
LogoCRLF injection, HTTP response splitting & HTTP header injectionwww.netsparker.comchevron-right
LogoCRLF Injection | OWASP Foundationowasp.orgchevron-right
LogoLog Forging by CRLF Log InjectionSrcCodeschevron-right
Logo[CVE-2017-5868] OpenVPN Access Server : CRLF injection with Session fixation - Audit et formations en sécurité informatiquesysdream.comchevron-right
LogoHTTP Response Splitting VulnerabilitySecureFlag Security Knowledge Basechevron-right
https://blog.innerht.ml/overflow-trilogy/blog.innerht.mlchevron-right
https://blog.innerht.ml/twitter-crlf-injection/blog.innerht.mlchevron-right
LogoCRLF Injection Attack - GeeksforGeeksGeeksforGeekschevron-right
PreviousInsecure deserializationNextArbitrary file download

Last updated

Was this helpful?