CRLF is the acronym used to refer to Carriage Return (\r) Line Feed (\n). As one might notice from the symbols in the brackets, “Carriage Return” refers to the end of a line, and “Line Feed” refers to the new line. Hence, both CR and LF are used to denote the ending point of a line. When a user requests content on a website, the server returns the website content along with the HTTP headers. The headers and the contents are separated by a defined combination of CR and LF. It is because of CRLF that a server knows where a new header begins or ends. A Carriage Return Line Feed (CRLF) Injection vulnerability is a type of Server Side Injection which occurs when an attacker inserts the CRLF characters in an input field to deceive the server by making it think that an object has terminated and a new one has begun. This happens when the web application doesn’t sanitize user input for CRLF characters. It has a medium severity rating (P3 according to Bugcrowd’s VRT).
CRLF Injection attack has two most important use cases:
- Log Splitting: The attacker inserts an end of line character and an extra line to falsify the log file entries in order to deceive the system administrators by hiding other attacks.
- HTTP Response Splitting: CRLF injection is used to add HTTP headers to the HTTP response and, for example, perform an XSS attack that leads to information disclosure.
A simple GET request can be crafted as follows:
GET /%0d%0aSet-Cookie:CRLFInjection=PreritPathak HTTP/1.1
Note: %0d and %0a are encoded forms of \r and \n respectively. If the web application is vulnerable, an attacker will be able to set a cookie on the website.
Impacts of CRLF injection
CRLF Injection allows the attacker to set fake cookies, steal CSRF tokens, disclose user information by injecting a script (XSS) and perform a variety of other attacks. It also allows attackers to deactivate & bypass security measures like XSS filters & Same Origin Policy (SOP), making them susceptible to the following attacks:
1. XSS or Cross Site Scripting
By Popping an alert containing sensitive user information
By Disabling XSS Protection
2. Cookie Injection
HTTP Response Splitting allows an attacker to set malicious cookies on the victim’s browser. In most cases, the following GET request will result in a 307 Redirect, and thus the victim will be redirected to target.com & the URL won’t contain the Set-Cookie parameter. In the background however, the cookie will be set.
3. Phishing Attacks
An attacker can set the Location header which would redirect the victim to the evil website. This website can be developed to look just like the target website and when the victim enters their credentials, they’ll be sent to the attacker. The location header can be set as:
GET /%0d%0aLocation:%20https://evil.com HTTP/1.1
4. Session Fixation
Similar to the Cookie Injection attack, here the attacker sets a user’s session id to a particular value. This link is sent to the victim and when the victim logs in using this session, the attacker can also log in by using the same session id.
5. HTTP Header Injection
An attacker can leverage the CRLF injection to inject HTTP Headers in an application in order to defeat security mechanisms such XSS filters or the same-origin-policy.
6. Web Cache poisoning
Web-cache poisoning is a technique due to which an attacker can serve poisoned content by manipulating a web cache. In order to successfully exploit this issue, an attacker would need to poison the vulnerable website’s caching proxy, syndicators, content delivery networks (CDNs) or other caching mechanisms in-between the client and the server. After a successful web cache poisoning, the victim will have no idea about the malicious content being served to them by the cache. The below is an example of how an attacker could potentially exploit a host header injection (using CRLF) by poisoning a web-cache.
For the following Request:
$ telnet www.target.com 80 Trying x.x.x.x... Connected to www.target.com. Escape character is '^]'. GET /%0d%0aX-Forwarded-Host:hacker.com HTTP/1.1 //or Host Host: target.com
There would be the following response:
HTTP/1.1 200 OK
Miscellaneous Use Cases:
1. Injecting a fake HTTP response header:
Now, the web browser will only parse the next 10 bytes.
2. Injecting a fake HTTP response header:
This is treated as a terminated response & the web browsers begin parsing a new response.
A developer should keep the following things in mind to prevent CRLF injection:
- Sanitization of user input.
- Encode CR & LF characters (\r, \n) so that even when they’re supplied, they aren’t recognized by the server.
- Validate the user input before they reach the response headers (e.g. by using methods like StringEscapeUtils.escapeJava()).
- An unnecessary header should be disabled.
The following table emphasizes the severity of CRLF injection according to various industry standards:
|Classification||ID / Severity|