Generic CRLF Injection Vulnerability Scanner
The CRLF (\r\n) abbreviation refers to Carriage Return and Line Feed. A CRLF injection attack is a type of injection attack that exploits the combination of a carriage return and line feed characters, which are used to end a line of text in a file or command.
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
3 days
Scan only one
URL, Request
Toolbox
-
What is CRLF Injection?
Carriage Return (\r) is a control character that signals the end of a line of text and moves the cursor to the beginning of the next line. Line Feed (\n) is a control character that advances the cursor down one line. When these two characters are used together, as they are in a Windows-formatted text file, it causes the web server to treat the following newline character as the end of the request, instead of interpreting it as part of the request.
CRLF injection exploits this behavior by including a CRLF sequence in the input data, which causes the web server to process the newline character as a request termination, instead of interpreting it as part of the request. This can be used to inject additional HTTP headers into the request, or to inject HTML or JavaScript code into the response.
Example Code and Scenarios for CRLF Injection Vulnerability
The following is a sample pseudo CRLF injection vulnerability code:
#set a user input in a header such as cookies user=get('user_name') #return user input in HTTP header set_header('Cookie: your-name='+user) If the user send 'bob' as user_name, app will set a cookie as your-name=bob However, if an attacker send an input like `bob\r\n\r\n<script>window.location.href = attacker.website` Then response body will be set as malicious javascript code.
Another example of where CRLF injection can be used is to corrupt a log and change its data with wrong values. If an attacker includes a CRLF sequence in the GET request, it will be processed by the web server, and fake data will be written in the log file.
For example, if an attacker sends following request
"/index.php?page=main&%0d%0a127.0.0.1 - 13:45 - /index.php?page=admin"
the request will be interpreted by the web server and written as follows in the log file.
111.111.111.111 - 13:45 - /index.php?page=main& 127.0.0.1 - 13:45 - /index.php?page=admin
This way, the attackers can obfuscate their actions.
CRLF injection can also be used to inject HTTP headers into an HTTP request. For example, if an attacker can inject HTTP headers(Access-Control-Allow-Origin, Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Credentials) that activate CORS (cross-origin resource sharing), they will be able to access resources using JavaScript. This can be used to perform a cross-site scripting (XSS) attack.
Impacts of CRLF injection
An attacker can be done following with using CRLF injection:
- Redirection of users to malicious websites:
- Poisoning log file:
- Cross-site scripting (XSS):
- Denial of service attacks:
- Reviewing the source code of the web application for any instances of CRLF sequences.
- Using a proxy tool such as Fiddler or Burp Suite to capture and analyze the HTTP requests and responses while accessing the web application.
- Using a vulnerability scanner such as S4E online CRLF Injection scanner to scan for CRLF injection vulnerabilities.
An attacker can use CRLF injection to inject a malicious HTTP header into an HTTP request, which can be used to redirect the user to a different website. This can be used to exploit vulnerabilities on the target website, or to steal user credentials.
An attacker can corrupt a log and change its data with wrong values, so the attackers can obfuscate their actions.
An attacker can use CRLF injection to inject a malicious JavaScript into a response, which can be used to steal user credentials or to execute arbitrary code on the user's computer.
An attacker can use CRLF injection to inject a large number of HTTP headers into an HTTP request, which can cause the web server to crash or consume all available resources.
Detection of CRLF Injection Vulnerability
Detecting CRLF injection vulnerabilities can be difficult, as it requires knowledge of how the web server processes input data. However, some methods that can be used to detect these vulnerabilities include: