CRLF Injection and HTTP Response Splitting Vulnerability

Category: Web Security Readings - Thu, 08 Sep 2016 - by Robert Abela

What is CRLF?

When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP headers and the actual website content. The HTTP headers and the HTML response (the website content) are separated by a specific combination of special characters, namely a carriage return and a line feed. For short they are also known as CRLF.

The server knows when a new header begins and another one ends with CRLF, which can also tell a web application or user that a new line begins in a file or in a text block.

What is the CRLF Injection Vulnerability?

In a CRLF injection vulnerability attack the attacker inserts carriage return and / or linefeed characters into user input to trick the server, web application or the user into thinking that an object is terminated and another one has started.

CRLF injection in web applications

In web applications a CRLF injection can have severe impacts, depending on what the application does with single items. Impacts can range from information disclosure to code execution. For example it is also possible to manipulate log files in an admin panel as explained in the below example.

An example of CRLF Injection in a log file

Imagine a log file in an admin panel with the pattern IP - Time - Visited Path. Therefore entries appear like:

123.123.123.123 - 08:15 - /index.php?page=home

If an attacker is able to insert the CRLF characters into the query he is able to fake those log entries and change them into:

/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit

%0d and %0a is the url encoded form of CR and LF. Therefore the log entries would look like this after the attacker inserted those characters and the application displays it:

IP - Time - Visited Path
123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit

Therefore by exploiting a CRLF injection vulnerability the attacker can fake entries in the log file to obfuscate his own malicious actions. For example imagine a scenario where the attacker has the admin password and executed the restrictedaction parameter, which can only be used by an admin.

The problem is that if the administrator notices that an unknown IP used the restrictedaction parameter, will notice that something is wrong. However, since now it looks like the command was issued by the localhost (and therefore probably by someone who has access to the server, like an admin) it does not look suspicious.

The whole part of the query beginning with %0d%0a will be handled by the server as one parameter. After that there is another & with the parameter restrictedaction which will be parsed by the server as another parameter. Effectively this would be the same query as:

/index.php?page=home&restrictedaction=edit

HTTP Response Splitting

Description

Since the header of a HTTP response and its body are separated by CRLF characters an attacker can try to inject those. A combination of CRLFCRLF will tell the browser that the header ends and the body begins. That means that he is now able to write data inside the response body where the html code is stored. This can lead to a Cross-site Scripting vulnerability.

An example of HTTP Response Splitting leading to XSS

Imagine an application that sets a custom header, for example:

X-Your-Name: Bob

The value of the header is set via a get parameter called “name”. If no URL encoding is in place and the value is directly reflected inside the header it might be possible for an attacker to insert the above mentioned combination of CRLFCRLF to tell the browser that the request body begins. That way he is able to insert data such as XSS payload, for example:

?name=Bob%0d%0a%0d%0a<script>alert(document.domain)</script>

The above will display an alert window in the context of the attacked domain.

HTTP Header Injection

Description

By exploiting a CRLF injection an attacker can also insert HTTP headers which could be used to defeat security mechanisms such as a browser’s XSS filter or the same-origin-policy. This allows the attacker to gain sensitive information like CSRF tokens. He can also set cookies which could be exploited by logging the victim in the attacker’s account or by exploiting otherwise unexploitable cross-site scripting (XSS) vulnerabilities.

An example of HTTP Header Injection to extract sensitive data

If an attacker inserts the headers that would activate CORS (Cross Origin Resource Sharing), he can use javascript to access resources that are otherwise protected by SOP (Same Origin Policy) which prevents sites from different origins to access each other.

Impacts of the CRLF injection Vulnerability

The impact of CRLF injections vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim's browsers, leaving them susceptible to malicious attacks.

How to Prevent CRLF / HTTP Header Injections in Web Applications

The best prevention technique is to not let users supply input directly inside response headers. If that is not possible, you should always use a function to encode the CR and LF special characters. It is also advised to update your programming language to a version that does not allow CR and LF to be injected inside functions that set headers.

 


Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN