CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
#What is CRLF injection?
CRLF injection is a vulnerability that lets a malicious hacker inject carriage return (CR) and linefeed (LF) characters to change the way a web application works or to confuse its administrator. There are two main malicious uses for CRLF injections: log poisoning (also called log injection, log splitting, or log forging) and HTTP response splitting.
Carriage Return Line Feed
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in todayβs popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
Set-Cookie:enContent-Length:0HTTP/1.1 200 OKContent-Type:text/htmlLast-Modified:Mon, 27 Oct 2060 14:50:18 GMTContent-Length:34<html>You have been Phished</html>
In a log poisoning attack based on CRLF injection, a malicious hacker injects CRLF charaβcters into web server log files to confuse both automatic log analysis systems and system administrators browsing the logs manually.