🛠️ CRLF injection
CRLF represents termination of line:
- CR = Carriage Return (
- LF = Line Feed (
Windows and the protocol HTTP uses the CRLF however, Linux doesn't (it only uses LF). The CRLF injection is a type of attack where an attacker injects a termination of line into an application (via HTTP or URL) to provoke other types of vulnerability (HTTP Response Splitting, Log Injection...).
Important: before even considering a CRLF injection, testers have to find any data that is sent in a request and reflected in the response (that follows the previous request). An example by SecureFlag considers an application that in case of error
(/?error=Page+Not+found), redirects the user using the
LocationHTTP header while reflecting the value of the
# Response (due to an application error)
HTTP/1.1 301 Moved Permanently
From cases similar to this one, testers have to find a place where CRLF injection is possible, such as:
- Query parameter:
Upon using a CRLF injection, testers can inject arbitrary HTTP headers.
- CRLF = %E5%98%8A%E5%98%8D
A good example of session fixation (with CRLF injection) comes from the CVE-2017-5868 and is explained in this post.
- 1.An attacker notice that the parameter
__session_startin OpenVPN is vulnerable to CRLF injection.
- 2.The attacker crafts an URL by setting a cookie:https://example.com/__session_start__/<CRLF_injection>Set-Cookie:<Cookie>[...]
- 3.The attacker sends this crafted URL to a victim.
- 4.The victim opens the URL and authenticates itself. Once authenticated, the cookie will be associated with its session.
- 5.The attacker can now use the cookie with the fixed session to access the victim's profile.
HTTP/1.1 200 OK
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
<html>You have been Phished</html>