Active Directory
Web services
Systems & services
๐ ๏ธ Physical
๐ ๏ธ RADIO
๐ ๏ธ binary exploitation
๐ ๏ธ CRLF injection
Theory
CRLF represents termination of line:
- CR = Carriage Return (
\r) - LF = Line Feed (
\n)
Windows and the protocol HTTP uses the CRLF however, Linux doesn't (it only uses LF). The CRLF injection is a type of attack where an attacker injects a termination of line into an application (via HTTP or URL) to provoke other types of vulnerability (HTTP Response Splitting, Log Injection...).
Practice
HTTP Response Splitting
Reconnaissance
Important: before even considering a CRLF injection, testers have to find any data that is sent in a request and reflected in the response (that follows the previous request).
An example by SecureFlag considers an application that in case of error
(/?error=Page+Not+found), redirects the user using the Location HTTP header while reflecting the value of the error parameter:1
# Response (due to an application error)
2
HTTP/1.1 301 Moved Permanently
3
Location: /index?error=Page+Not+Found
Copied!
From cases similar to this one, testers have to find a place where CRLF injection is possible, such as:
- URL:
https://example.com/<CRLF_injection> - Query parameter:
https://example.com/lang=en<CRFL_injection>
Upon using a CRLF injection, testers can inject arbitrary HTTP headers.
- CRLF = %E5%98%8A%E5%98%8D
Session fixation
A good example of session fixation (with CRLF injection) comes from the CVE-2017-5868 and is explained in this post.
- 1.An attacker notice that the parameter
__session_startin OpenVPN is vulnerable to CRLF injection. - 2.The attacker crafts an URL by setting a cookie:1https://example.com/__session_start__/<CRLF_injection>Set-Cookie:<Cookie>[...]Copied!
- 3.The attacker sends this crafted URL to a victim.
- 4.The victim opens the URL and authenticates itself. Once authenticated, the cookie will be associated with its session.
- 5.The attacker can now use the cookie with the fixed session to access the victim's profile.
Cross-Site Scripting (XSS)
โPayloadsAllTheThings has an interesting payload to write a document, and therefore include an XSS.
Requested page:
1
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
Copied!
HTTP response:
1
Set-Cookie:en
2
Content-Length: 0
3
โ
4
HTTP/1.1 200 OK
5
Content-Type: text/html
6
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
7
Content-Length: 34
8
โ
9
<html>You have been Phished</html>
Copied!
References
What Are CRLF Injection Attacks | Acunetix
Acunetix
CRLF injection, HTTP response splitting, and HTTP header injection vulnerabilities
netsparker
CRLF Injection | OWASP
Log Forging by CRLF Log Injection
SrcCodes
Sysdream, [CVE-2017-5868] OpenVPN Access Server : CRLF injection with Session fixation
HTTP Response Splitting Vulnerability
SecureFlag Security Knowledge Base
Overflow Trilogy
XSS Jigsaw
CRLF injection on Twitter or why blacklists fail
XSS Jigsaw
CRLF Injection Attack - GeeksforGeeks
GeeksforGeeks
Last modified 3mo ago
Copy link
Edit on GitHub