How I tested for CRLF Injection with Akto
What’s with this CRLF Injection?
A CRLF injection attack is one of various forms of injection attacks. It can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning, cache-based defacement, and others. A CRLF injection vulnerability arises if an attacker can inject CRLF characters into a web application, such as through a user input form or an HTTP request.
Carriage Return and Line Feed are abbreviated as CRLF. CR and LF are special characters (ASCII 13 and 10, respectively, often known as rn) that are used to indicate the End of the Line (EOL). The CRLF sequence is used in operating systems such as Windows (but not Linux/UNIX) and Internet protocols such as HTTP.
Usually, this attack performs based on the vulnerable web application, and it does not do the correct filtering for the user point.
-Cyber Writes Team
The most prominent applications for CRLF injection attacks are log poisoning and HTTP response splitting. In the first instance, the attacker forges log file entries by adding a line break and an extra line. This can be used to conceal additional threats or to perplex system administrators. In the second situation, CRLF injection is used to insert HTTP headers into the HTTP response and, for example, execute an XSS attack that results in information exposure. To add SMTP headers to emails, a similar technique known as Email Header Injection may be employed.
The Hitchhiker’s Guide to CRLF Injection
Imagine you’re on a road trip and decide to pick up a hitchhiker. This friendly-looking traveler wants a ride to the next town. In the world of software, every newline character (CRLF) is like a hitchhiker. They are essential for formatting and separating lines in documents and protocols, but when mishandled, they can be like uninvited hitchhikers, creating chaos in your code. CRLF Injection happens when an attacker sneaks malicious newline characters into your data. It’s a bit like a hitchhiker secretly carrying contraband in your car without your knowledge.
The Real-World Impact
Let’s take a break from our road trip analogy and consider some real-world examples of CRLF attacks:
1. HTTP Response Splitting:
Imagine you’re at a restaurant, and you place an order for “Pasta\r\n\r\nHTTP/1.1 200 OK.” Suddenly, you receive two servings of pasta, and your bill reads, “200 OK.” CRLF Injection can be used to manipulate HTTP responses and mislead the server or client.
2. Phishing Attacks:
You receive an email that seems legitimate, but hidden CRLF characters redirect you to a fraudulent website. Just as hitchhikers can lead you down unknown paths, CRLF Injection can steer you toward phishing traps.
3. Session Fixation:
Think of your online account as a locked car. An attacker injects CRLF characters, leaving an open door for them to enter. You assume your session is secure, but you’ve essentially given them the keys.
How can you test for CRLF Injection using Akto's Test Editor?
What is Akto?
Akto is an open-source, instant API security platform that takes only 60 secs to get started. Akto is used by security teams to maintain a continuous inventory of APIs, test APIs for vulnerabilities, and find runtime issues. Akto offers tests for all OWASP top 10 and HackerOne Top 10 categories including BOLA, authentication, SSRF, XSS, security configurations, etc. Akto’s powerful testing engine runs a variety of business logic tests by reading traffic data to understand API traffic patterns, leading to reduced false positives. Akto can integrate with multiple traffic sources — Burpsuite, AWS, postman, GCP, gateways, etc.
How can you use the test editor?
After cloning the Repo locally, on your favorite browser head on to localhost:9090 and sign up if you have not already.
Now that you have settled up with the local setup, you can proceed with the Test Editor and then on with writing the CRLF injection test.
Side panel → Test Editor → Search CRLF Injection
HTTP Header Abuse using CRLF Injection
id: ABUSING_CRLF_IN_HEADERS
info:
name: "HTTP Header Abuse using CRLF Injection"
description: "This test examines the vulnerability of CRLF injection in HTTP headers, specifically focusing on the manipulation of query parameters through the abuse of line breaks."
details: >
"In a CRLF injection attack, the attacker inserts the carriage return and linefeed characters into user input to trick the server, the web application, or the user into thinking that an object has terminated and another one has started
By exploiting a CRLF injection, an attacker can also insert HTTP headers which could be used to defeat security mechanisms such as a browser’s XSS filter or the same-origin-policy. This allows malicious actors to obtain sensitive information like CSRF tokens.
Attackers can also set cookies which could be exploited by logging the victim into the attacker’s account or used to exploit otherwise unexploitable cross-site scripting vulnerabilities."
impact: "The impact of CRLF injections varies depending on the attack context, but will typically cover all the consequences of cross-site scripting and information disclosure that the injection allowed.
The technique can also be used to deactivate certain security restrictions like XSS filters and same-origin policy in the victim’s browser, paving the way for other malicious attacks."
category:
name: CRLF
shortName: CRLF Injection
displayName: CRLF Injection
subCategory: ABUSING_CRLF_IN_HEADERS
severity: MEDIUM
tags:
- Business logic
- OWASP top 10
- HackerOne top 10
references:
- "https://www.invicti.com/blog/web-security/crlf-http-header/"
cwe:
- CWE-93
- CWE-74
- CWE-20
api_selection_filters:
query_param:
for_one:
key:
regex: .*
extract: query_key
value:
extract: query_value
execute:
type: single
requests:
- req:
- modify_query_param:
query_key: ${query_value}%0Aakto-header%3aakto-value
validate:
response_headers:
for_one:
key:
eq: akto-header
value:
eq: akto-valueThe ABUSING_CRLF_IN_HEADERS test is specifically designed to identify vulnerabilities related to CRLF (Carriage Return Line Feed) Injection in HTTP headers. This type of security test aims to detect scenarios where attackers manipulate query parameters, leveraging line breaks in user input to exploit weaknesses in web applications. The test assesses the impact of potential CRLF Injection vulnerabilities, which could result in information disclosure, the deactivation of critical security mechanisms, and the setting of malicious headers, potentially leading to further malicious attacks. It categorizes such vulnerabilities as CRLF Injection and rates their severity as medium. The test execution involves the injection of a specific string into query parameters, and the subsequent validation ensures that the injected header is present in the response. This test is crucial for identifying and mitigating CRLF Injection risks, contributing to enhanced security and the prevention of potential security breaches.
HTTP Response Splitting Using CRLF
id: HTTP_RESPONSE_SPLITTING
info:
name: "HTTP Response splitting using CRLF"
description: "HTTP header injection allows attackers to add headers or inject content, leading to XSS attack"
details: >
"HTTP header injection is a technique where attackers insert CRLF characters to add headers or inject content, enabling actions like redirection to malicious websites or executing XSS attacks.
By manipulating the header structure, attackers can deceive web browsers and bypass server content, potentially leading to phishing attempts or defacement of websites."
impact: "The impact of CRLF injections varies depending on the attack context, but will typically cover all the consequences of cross-site scripting and information disclosure that the injection allowed.
The technique can also be used to deactivate certain security restrictions like XSS filters and same-origin policy in the victim’s browser, paving the way for other malicious attacks."
category:
name: CRLF
shortName: CRLF Injection
displayName: CRLF Injection
subCategory: HTTP_RESPONSE_SPLITTING
severity: MEDIUM
tags:
- Business logic
- OWASP top 10
- HackerOne top 10
references:
- "https://www.invicti.com/blog/web-security/crlf-http-header/"
cwe:
- CWE-93
api_selection_filters:
query_param:
for_one:
key:
regex: .*
extract: query_key
value:
extract: query_value
execute:
type: single
requests:
- req:
- modify_query_param:
query_key: ${query_value}%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
validate:
response_payload:
contains_either: "<script>alert(1)</script>"The HTTP_RESPONSE_SPLITTING test is focused on detecting vulnerabilities related to HTTP Response Splitting using CRLF (Carriage Return Line Feed) injection techniques. HTTP Response Splitting is a critical security concern as it enables attackers to manipulate HTTP headers, potentially leading to actions such as the injection of malicious content or the execution of Cross-Site Scripting (XSS) attacks.
Outcomes of the test
The outcomes of the two tests, ABUSING_CRLF_IN_HEADERS and HTTP_RESPONSE_SPLITTING, conducted with Akto, depend on the specific behavior of the target web applications and their vulnerability to CRLF (Carriage Return Line Feed) Injection and HTTP Response Splitting, respectively. Akto, an automated API security tool, plays a pivotal role in identifying security weaknesses in web applications. Here are the potential outcomes for each test with a mention of Akto’s involvement:
The outcome for ABUSING_CRLF_IN_HEADERS Test with Akto:
- If the target web application is vulnerable to CRLF Injection in HTTP headers, Akto may detect this vulnerability, providing a positive finding that highlights the application’s susceptibility to header manipulation through CRLF Injection.
- Akto rates the severity of this vulnerability as “MEDIUM” and provides specific details about the detected issue, which is invaluable for developers and security teams.
- The test conducted with Akto ensures that the “akto-header” with the value “akto-value” is identified in the response headers.
- Akto’s automated testing capabilities streamline the identification and reporting of security vulnerabilities, contributing to enhanced web application security.
The outcome for HTTP_RESPONSE_SPLITTING Test with Akto:
- If the target web application is vulnerable to HTTP Response Splitting using CRLF injection, Akto may produce a positive result, indicating the application’s susceptibility to HTTP header manipulation, which can lead to XSS attacks and other malicious actions.
- Akto rates the severity of this vulnerability as “MEDIUM” and provides specific information about the identified HTTP Response Splitting issue.
- Akto’s automated test injects content into query parameters, and if the response payload contains “<script>alert(1)</script>,” it confirms the presence of HTTP Response Splitting.
- Akto’s role in automating the testing process ensures that security vulnerabilities are identified efficiently, allowing developers and security teams to take prompt action to rectify the issues.
Akto’s automated security testing capabilities empower organizations to proactively assess and address security vulnerabilities in their web applications, thereby strengthening their overall security posture. Akto’s contribution to security testing is invaluable in safeguarding web applications against potential attacks and exploitation by malicious actors.
