Skip to main content

Carriage Return Line Feed

What is a CRLF injection?

A CRLF (Carriage Return Line Feed) Injection vulnerability is a type of security issue that occurs when an attacker can inject a CRLF sequence into an HTTP stream. This is significant because CRLF sequences are used to separate headers and other elements in HTTP protocol.

The name "CRLF" comes from the special characters used to denote the end of a line in many text formats, specifically Carriage Return (CR, or \r) and Line Feed (LF, or \n).

If an application does not properly sanitize user input and allows raw user input to be inserted into HTTP headers or other parts of an HTTP response, an attacker could inject CRLF sequences along with arbitrary HTTP headers or other content.

This could lead to several types of attacks, including:

  1. HTTP Response Splitting: This is where the attacker causes the server to send a corrupted HTTP response, which can trick the browser into executing a malicious script or visiting a malicious site. This can lead to cross-site scripting (XSS) or cache poisoning attacks.
  2. HTTP Header Injection: The attacker injects malicious headers into the HTTP response, which can be used to perform redirection attacks, or to set malicious cookies.
  3. Log Injection: If the injected data is written to a log file, the attacker can manipulate the contents of the log file, which can lead to further attacks or misinformation.

Check out this video for a high-level explanation:

What is the impact of CRLF injection?

CRLF Injection vulnerabilities can have several potential impacts, depending on how they are exploited. Here are a few examples:

  1. HTTP Response Splitting: This can lead to a variety of attacks, including cross-site scripting (XSS), session fixation, or cache poisoning. By manipulating the HTTP response, an attacker can trick a user's browser into executing malicious scripts or visiting malicious sites.
  2. HTTP Header Injection: By injecting malicious headers into the HTTP response, an attacker can perform redirection attacks, tricking the user's browser into visiting a malicious site. They can also set malicious cookies, potentially leading to session hijacking or other attacks that exploit cookies.
  3. Log Injection: If the injected data is written to a log file, an attacker can manipulate the contents of the log file. This can lead to misinformation, obscuring the attacker's activities and making it harder to detect or investigate attacks. In some cases, if the log files are later displayed or processed unsafely, log injection can even lead to further attacks such as XSS or Code Execution.

How to prevent CRLF injection?

Preventing CRLF Injection vulnerabilities primarily involves validating and sanitizing user input. Here are some specific steps you can take:

  1. Input Validation: Validate all user input to ensure it conforms to the expected format. For example, if you're expecting a numerical ID, make sure the input is indeed a number.
  2. Reject or Sanitize CRLF Sequences: If your application has no legitimate reason to include CRLF sequences in user input, you should reject any input that contains them. If there are valid reasons for including CRLF sequences, you should sanitize the input to ensure that they can't be used to inject arbitrary headers or split HTTP responses.
  3. Use Safe APIs: Some programming languages and frameworks provide APIs that automatically sanitize header values, making it impossible to inject CRLF sequences. Whenever possible, use these APIs instead of manually constructing HTTP headers.
  4. URL Encoding: If user input is included in URLs, make sure it's URL-encoded. This can prevent many types of injection attacks, including CRLF injection.
  5. Content Security Policy (CSP): Implementing a strong CSP can help to mitigate the impact of potential CRLF vulnerabilities, as it can prevent the execution of injected scripts.

References

Taxonomies

Explanation & Prevention

Training