When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP headers and the actual website content. The HTTP headers and the HTML response (the website content) are separated by a specific combination of special characters, namely a carriage return and a line feed. For short they are also known as CRLF.
The server knows when a new header begins and another one ends with CRLF, which can also tell a web application or user that a new line begins in a file or in a text block.
In a CRLF injection vulnerability attack the attacker inserts carriage return and / or linefeed characters into user input to trick the server, web application or the user into thinking that an object is terminated and another one has started.
In web applications a CRLF injection can have severe impacts, depending on what the application does with single items. Impacts can range from information disclosure to code execution. For example it is also possible to manipulate log files in an admin panel as explained in the below example.
Imagine a log file in an admin panel with the pattern IP - Time - Visited Path. Therefore entries appear like:
220.127.116.11 - 08:15 - /index.php?page=home
If an attacker is able to insert the CRLF characters into the query he is able to fake those log entries and change them into:
/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
%0d and %0a is the url encoded form of CR and LF. Therefore the log entries would look like this after the attacker inserted those characters and the application displays it:
IP - Time - Visited Path
18.104.22.168 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
Therefore by exploiting a CRLF injection vulnerability the attacker can fake entries in the log file to obfuscate his own malicious actions. For example imagine a scenario where the attacker has the admin password and executed the restrictedaction parameter, which can only be used by an admin.
The problem is that if the administrator notices that an unknown IP used the restrictedaction parameter, will notice that something is wrong. However, since now it looks like the command was issued by the localhost (and therefore probably by someone who has access to the server, like an admin) it does not look suspicious.
The whole part of the query beginning with %0d%0a will be handled by the server as one parameter. After that there is another & with the parameter restrictedaction which will be parsed by the server as another parameter. Effectively this would be the same query as:
Since the header of a HTTP response and its body are separated by CRLF characters an attacker can try to inject those. A combination of CRLFCRLF will tell the browser that the header ends and the body begins. That means that he is now able to write data inside the response body where the html code is stored. This can lead to a Cross-site Scripting vulnerability.
Imagine an application that sets a custom header, for example:
The value of the header is set via a get parameter called “name”. If no URL encoding is in place and the value is directly reflected inside the header it might be possible for an attacker to insert the above mentioned combination of CRLFCRLF to tell the browser that the request body begins. That way he is able to insert data such as XSS payload, for example:
The above will display an alert window in the context of the attacked domain.
By exploiting a CRLF injection an attacker can also insert HTTP headers which could be used to defeat security mechanisms such as a browser’s XSS filter or the same-origin-policy. This allows the attacker to gain sensitive information like CSRF tokens. He can also set cookies which could be exploited by logging the victim in the attacker’s account or by exploiting otherwise unexploitable cross-site scripting (XSS) vulnerabilities.
The impact of CRLF injections vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim's browsers, leaving them susceptible to malicious attacks.
The best prevention technique is to not let users supply input directly inside response headers. If that is not possible, you should always use a function to encode the CR and LF special characters. It is also advised to update your programming language to a version that does not allow CR and LF to be injected inside functions that set headers.