#BugBounty — Exploiting CRLF Injection can lands into a nice bounty

Hi Guys,

Back with one more blog and this time I would be sharing my experience of exploiting CRLF injection and how it lands me to a good bounty.

CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing of user entered data to the response header fields like (Location, Set-Cookie and etc) without proper sanitsation, which can result in various forms of security exploits.Security exploits range from XSS, Cache-Poisoning, Cache-based defacement,page injection and etc.

So this comes in an Online Food Delivery company of India while searching for some security loophole in their website. In their home page, there are a couple of inputs being reflected into the HTTP Headers . After a bit of fiddling, I discovered that non-printable control characters were not encoded which they should be, which took me to try for CRLF and I tried to add “Location” header to see whether it was getting redirected. Below is the POC —

CRLF Injection HTTP Header

Now the Server responds to this request by injecting the CRLF characters in the response , you will find “Location” http header has been set in the http response with the value “http://www.evilzone.org” as injected via the CRLF payload in the below screesnshot—

CRLF Injection

and the successful redirection was taking place to the attacker site -”evilzone.org”.

Successful Redirection via CRLF Injection

Impact of CRLF Injection vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim’s browsers, leaving them susceptible to malicious attacks.

Mitigation Techniques-

A simple solution for CRLF Injection is to sanitise the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences entering the header.

Report details-

11-Nov-2017 — Bug reported to the concerned company.

06-Dec-2017 — Bug was marked fixed.

13-Dec-2017— Re-tested and confirmed the fix.

20-Dec-2017 — Awarded by company (USD 250).

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )