CRLF to XSS

3 min readNov 29, 2023

Hi guys, I will share an interesting finding today. I found a CRLF vulnerability and was able to chain it to an XSS vulnerability with some bypasses. I found it in a domain belonging to Snapchat.

What is CRLF?

CRLF stands for Carriage Return (CR) and Line Feed (LF). These are control characters used to mark the end of a line of text and the beginning of a new line. The sequence of these two characters is used as a line ending in various operating systems, including Unix, Windows, and others.

In the context of security, CRLF injection is a type of attack where an attacker is able to inject CRLF characters into an HTTP response. This can lead to various security issues, such as HTTP header injection, cross-site scripting (XSS), and even remote code execution (RCE) in some cases.

We will call our domain target.com so lets start.

I found an endpoint, `target.com/api/users/id`, where `users/id` was reflected in the `X-api` header. I removed `id` and replaced it with `%0d%0aanything`, and it worked. Now, let’s see how to get XSS.

Fisrt we need to change content-type to text/html so i added payload %0d%0acontent-type:text/html;

but it didn’t work why?finally i discoverd that server was filtering / i tried some encoding but wasn’t work. what about remove content-type so i used payload %0acontent-type:%0a%0a<html>

It was removed and now <html> seemes to work in burp but… in browser wasn’t work still handel it as text.

After some search i know where is problem all time was in front of us x-content-type-options header in response

What is this header??

The X-Content-Type-Options response header is a security feature that can prevent certain types of attacks. It has two possible values: nosniff and undefined.

If the X-Content-Type-Options header is set to nosniff, it instructs the browser to use the MIME type set in the Content-Type header and not to sniff the content or override the MIME type.

On the other hand, if the X-Content-Type-Options header is set to undefined, it means that the browser will use its own content type sniffing. This can be potentially unsafe as it might allow the browser to change the content type based on the content of the response, which could lead to security vulnerabilities.

In general, it’s a good security practice to set the X-Content-Type-Options header to nosniff for all of your resources. This ensures that the browser uses the correct content type and does not sniff the content, which can prevent certain types of attacks

so that all we need to set it to undefined and remove content-type so browser will handle response correctly