#BugBounty — Exploiting CRLF Injection can lands into a nice bounty

Hi Guys,

Back with one more blog and this time I would be sharing my experience of exploiting CRLF injection and how it lands me to a good bounty.

CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing of user entered data to the response header fields like (Location, Set-Cookie and etc) without proper sanitsation, which can result in various forms of security exploits.Security exploits range from XSS, Cache-Poisoning, Cache-based defacement,page injection and etc.

So this comes in an Online Food Delivery company of India while searching for some security loophole in their website. In their home page, there are a couple of inputs being reflected into the HTTP Headers . After a bit of fiddling, I discovered that non-printable control characters were not encoded which they should be, which took me to try for CRLF and I tried to add “Location” header to see whether it was getting redirected. Below is the POC —

CRLF Injection HTTP Header

Now the Server responds to this request by injecting the CRLF characters in the response , you will find “Location” http header has been set in the http response with the value “http://www.evilzone.org” as injected via the CRLF payload in the below screesnshot—

CRLF Injection

and the successful redirection was taking place to the attacker site -”evilzone.org”.

Successful Redirection via CRLF Injection

Impact of CRLF Injection vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim’s browsers, leaving them susceptible to malicious attacks.

Mitigation Techniques-

A simple solution for CRLF Injection is to sanitise the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences entering the header.

Report details-

11-Nov-2017 — Bug reported to the concerned company.

06-Dec-2017 — Bug was marked fixed.

13-Dec-2017— Re-tested and confirmed the fix.

20-Dec-2017 — Awarded by company (USD 250).

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store