What is CRLF Injection and How Does it Work?
- Introduction
CRLF injection is one of many injection attacks that lets a malicious hacker inject carriage return (CR) and linefeed (LF) characters to change the way a web application works. A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
The term CRLF refers to Carriage Return (\r) Line Feed (/n). They are used to note the termination(\r) and a beginning(\n) of a new line. That means anything written after \r \n will come in a new line and then will be seperated into different parts of an http request or response such as the headers,body and status line.
2. Example of CRLF Injection Attack
There are two ways for using CRLF injections: log poisoning and HTTP response splitting.
- Log Poisoning example :
Log poisoning involves the insertion of an end-of-line character and an additional line into log file entries to deceive system administrators by concealing other attacks.
233.252.0.123 — — [11/Oct/2022:11:34:50 +0100] “GET /example.php?id=1 HTTP/1.0” 200 452
This request can be injected with a CRLF after “452,” which indicates the byte size of the request.
https://www.example.com/example.php?id=3+HTTP%2F1.0%22+200+452%0D%0A 10.0.23.30+-+admin+%5B01%2FJan%2F2023%3A12%3A00%3A00+%2B0100%5D+%22GET+%2Fadmin.php%3Fuserid%3D123
The log above has been URL encoded, and below is the same log after url decoding. “%0D%0A” represents the \r\n form after URL encoding. The request above contains a fake log entry, so when it is logged, the log file will include an extra line.
233.252.0.123 — — [11/Oct/2022:11:34:50 +0100] “GET /example.php?id=1 HTTP/1.0” 200 452
10.0.23.30 — admin [01/Jan/2023:12:00:00 +0100] “GET /admin.php?userid=123 HTTP/1.0” 200 452
this log looks like an admin has tried requesting the admin.php page which we know that isn’t true because the attacker used CRLF injection that causes the log to add one more line.
- HTTP Response Splitting example :
HTTP Response Splitting, on the other hand, utilizes CRLF injection to append HTTP headers to the HTTP response, potentially enabling XSS attacks that result in information disclosure.
in this example, someone injected CRLF at the location value which means the value of Location is empty. when Location value is empty the browser simply ignore that header and continue to parse the rest of the header which is Content-Type: text/html \r\n\r\n and so on.
3. Mitigation of CRLF injection Attack
CRLF injection vulnerabilities are typically addressed automatically by web frameworks. Many web frameworks nowadays prevent HTTP response splitting through CRLF injection by not allowing CRLF sequences to be included in HTTP headers. But to be more sure, you can mitigate CRLF injection attacks by doing :
- Rework your code so that content supplied by the user is never used directly in the HTTP stream
- Strip any newline characters before passing content into the HTTP header.
- Encode the data that you pass into HTTP headers. This will effectively scramble the CR and LF codes if the attacker attempts to inject them.
Reference :
