Security for everyone

Generic CRLF Injection Vulnerability Scanner

The CRLF (\r\n) abbreviation refers to Carriage Return and Line Feed. A CRLF injection attack is a type of injection attack that exploits the combination of a carriage return and line feed characters, which are used to end a line of text in a file or command.

SCAN NOW

Short Info


Level

Medium

Type

Single Scan

Can be used by

Asset Owner

Estimated Time

10 sec

Scan only one

Url, Request

Parent Category

Generic CRLF Injection Vulnerability Scanner Detail

What is CRLF Injection?

Carriage Return (\r) is a control character that signals the end of a line of text and moves the cursor to the beginning of the next line. Line Feed (\n) is a control character that advances the cursor down one line. When these two characters are used together, as they are in a Windows-formatted text file, it causes the web server to treat the following newline character as the end of the request, instead of interpreting it as part of the request.

CRLF injection exploits this behavior by including a CRLF sequence in the input data, which causes the web server to process the newline character as a request termination, instead of interpreting it as part of the request. This can be used to inject additional HTTP headers into the request, or to inject HTML or JavaScript code into the response.

Example Code and Scenarios for CRLF Injection Vulnerability

The following is a sample pseudo CRLF injection vulnerability code:

#set a user input in a header such as cookies
user=get('user_name')
#return user input in HTTP header
set_header('Cookie: your-name='+user)
If the user send 'bob' as user_name, app will set a cookie as your-name=bob
However, if an attacker send an input like
`bob\r\n\r\n<script>window.location.href = attacker.website`
Then response body will be set as malicious javascript code.

Another example of where CRLF injection can be used is to corrupt a log and change its data with wrong values. If an attacker includes a CRLF sequence in the GET request, it will be processed by the web server, and fake data will be written in the log file.

For example, if an attacker sends following request

"/index.php?page=main&%0d%0a127.0.0.1 - 13:45 - /index.php?page=admin"

the request will be interpreted by the web server and written as follows in the log file.

111.111.111.111 - 13:45 - /index.php?page=main&
127.0.0.1 - 13:45 - /index.php?page=admin

This way, the attackers can obfuscate their actions.

CRLF injection can also be used to inject HTTP headers into an HTTP request. For example, if an attacker can inject HTTP headers(Access-Control-Allow-Origin, Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Credentials) that activate CORS (cross-origin resource sharing), they will be able to access resources using JavaScript. This can be used to perform a cross-site scripting (XSS) attack.

Impacts of CRLF injection

An attacker can be done following with using CRLF injection:

  • Redirection of users to malicious websites:
  • An attacker can use CRLF injection to inject a malicious HTTP header into an HTTP request, which can be used to redirect the user to a different website. This can be used to exploit vulnerabilities on the target website, or to steal user credentials.

  • Poisoning log file:
  • An attacker can corrupt a log and change its data with wrong values, so the attackers can obfuscate their actions.

  • Cross-site scripting (XSS):
  • An attacker can use CRLF injection to inject a malicious JavaScript into a response, which can be used to steal user credentials or to execute arbitrary code on the user's computer.

  • Denial of service attacks:
  • An attacker can use CRLF injection to inject a large number of HTTP headers into an HTTP request, which can cause the web server to crash or consume all available resources.

    Detection of CRLF Injection Vulnerability

    Detecting CRLF injection vulnerabilities can be difficult, as it requires knowledge of how the web server processes input data. However, some methods that can be used to detect these vulnerabilities include:

    • Reviewing the source code of the web application for any instances of CRLF sequences.
    • Using a proxy tool such as Fiddler or Burp Suite to capture and analyze the HTTP requests and responses while accessing the web application.
    • Using a vulnerability scanner such as S4E online CRLF Injection scanner to scan for CRLF injection vulnerabilities.
cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture