When browsing the internet, the security of the web applications we interact with is paramount to ensuring our personal information remains safe. However, vulnerabilities like CRLF (Carriage Return and Line Feed) injection can pose a significant risk. Let’s delve into the technicalities and explore some real-world examples of how CRLF injections can be exploited.

What is CRLF Injection?

CRLF injection is a security vulnerability that allows an attacker to insert a carriage return (CR, \\\\r, %0d) and a line feed (LF, \\\\n, %0a) into a web application. This can lead to HTTP Response Splitting, where an attacker modifies an HTTP response, potentially leading to further attacks like XSS (Cross-Site Scripting), web cache poisoning, or even website defacement.

Basic CRLF Injection

Imagine an attacker discovers a website where the user input is directly reflected in the HTTP response headers without proper sanitization. They craft a URL like this:

<http://vulnerable-website.com/login?redirect=%0d%0aSet-Cookie:sessionid=evilcookie>

Here, %0d%0a is URL-encoded representation for CRLF. If the server reflects this input in the response, the attacker could manipulate the HTTP headers to set a cookie.

Advanced CRLF Injection with Open Redirect

On some misconfigured servers, an open redirect can be chained with a CRLF injection. Consider this URL:

<http://vulnerable-website.com//www.google.com/%2f%2e%2e%0d%0aheader:header>

The encoded sequences %2f%2e%2e translate to /.., attempting to exploit directory traversal, followed by %0d%0a, which injects a new line. If the server interprets this URL, it might redirect to Google but also process the injected header as part of the response, illustrating how CRLF can be used in conjunction with other vulnerabilities.

CRLF Injection Leading to XSS

Attackers can escalate a CRLF injection to execute JavaScript code on the client’s browser. Look at this payload:

%0d%0aContent-Length:35%0d%0aX…