CRLF injection is a type of injection vulnerability found in Web Applications resulting from the failure of the application to properly sanitize its input values. The presence of CRLF injection in a web application code can be used to escalate it to several varieties of more harmful attacks.

Introduction

CRLF injection is a type of injection vulnerability found in Web Applications resulting from the failure of the application to properly sanitize its input values. The presence of CRLF injection in a web application code can be used to escalate it to several varieties of more harmful attacks. CRLF injection attacks can even be exploited to allow an attacker to inject client-side malicious scripts to disclose sensitive information.

What Exactly is CRLF?

The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). When a user sends an HTTP request to a web server, the server acknowledges the request and responds it back with a response header along with the actual requested contents. Both the HTTP headers and the requested contents are separated by a special character which is known as CRLF or Carriage Return Line Feed (\r\n).In HTTP protocol as per RFC 2616, headers are separated by one CRLF and the response’s headers are separated from its body by two.

Most textual protocols (SMTP, HTTP, IRC, etc.) mandate the use of ASCII CR+LF as a line terminator.

In Windows, both a CR and LF are required to note the end of a line (see figure 1) and in Linux/UNIX LF is only required whereas several old Mac OS (pre-OSX Macintosh) use only CR.

A simple HTTP request (from the server) may look like this:

How CRLF Injection is Caused

A CRLF injection occurs mainly by manipulating or modifying a Web Application’s HTTP parameters or URL. On a vulnerable web application, an attacker can easily terminate HTTP headers by inserting CRLF special characters and injecting malicious content. If the attacker inserts a CRLF special character, they can add a new header or malicious content that compromises the Web Application’s security.

Generally, an attacker would perform the attack by generating an URL that includes these characters and the vulnerable server would embed them within the response.

Potential Hazards

The impact of CRLF injection depends on how the Web Application’s validated user’s inputs and what types of data it handles. Although CRLF itself is not a malicious character, attackers can use it for malicious intend if not properly sanitized.

Some of the Web Application Vulnerabilities that can arise because of CRLF injections are mentioned below:

• Cross-Site Scripting
• Client-Side Cookie injection
• HTTP Response Splitting

An attacker can craft different types of payloads to inject CRLF special characters so as to compromise with the Web Application’s Firewall.

In the following examples, the portion of the URL mark in bold letters is the malicious code injected by the attacker. An HTTP response for the tampered URL is also displayed to show how CRLF injection affects the HTTP response. A demonstration of CRLF injection used for achieving a more impactful bug is shown below :

• Cross-site Scripting: The Web Application’s protection for Cross-Site Scripting (XSS) is bypassed by injecting CRLF into the URL and embedding a Cross-Site Scripting (XSS) payload in it via HTTP headers. Here a URL encoded value for CRLF is used so as to tell the browser where the request body starts and insert Cross-Site Scripting payload in it. A simple demonstration is shown below:

  • Request:
    http://vulnerable-website.com/%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3csvg onload%3dalert%28document.domain%29%3e
  • Response:
    

    

• Client-side Cookie Injection: A Client-Side Cookie Injection attack is when an attacker manipulates the contents of the cookie before the cookie is sent to the webserver. This Vulnerability can give rise to Man-in-the-middle Cookie Hijacking, Session Forgery, Session Hijacking, etc.

  A simple demonstration of how a cookie can be injected and its contents being manipulated using CRLF injection is shown below:

  • Request:
    https://vulnerable-website.com/session_start/%0aSet-Cookie: malicious_cookie1
  • Response:

    

• HTTP Response Splitting: HTTP Response splitting occurs when an attacker is able to send a single HTTP request and force the Server to form two output Responses. The attacker may be able to control the first response partially, but the crucial part is the attacker able to craft the whole second response to the last byte of the whole HTTP response body.
  • Request:
    http://vulnerable-website.com/url?=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContentLength:%2019%0d%0a%0d%0a<html>TEST</html>

  • Response:

    

Conclusions

Injection attacks like CRLF injection are often overlooked by developers and security researchers alike, though the impact can be highly escalated. For web applications, CRLF injection can have serious consequences, depending on how the web application handles data. The impact of CRLF injections can vary from other vulnerabilities like Cross-site Scripting (XSS) to serious security flaws like sensitive information disclosure. Developers should be cautious and aware of such potential vulnerabilities present on their platforms. It is always advisable to think like an attacker to know how an attacker would craft their next attack.

As cybersecurity threats continue to increase in number, size, and complexity, businesses should be even more aware of protecting their platforms, networks, and databases. Walnut Security Services will ensure the safety of an Organization’s systems, processes, and infrastructure by implementing robust countermeasures against current cybersecurity threats while recognizing the key challenges of protecting clients’ and consumers’ data.