One sort of injection attack is a CRLF injection attack. It has the potential to progress to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning, cache-based defacement, and others. If an attacker can inject CRLF characters into a web application, such as through a user input form or an HTTP request, a CRLF injection vulnerability occurs.
Carriage Return and Line Feed is abbreviated as CRLF. CR and LF are special characters (ASCII 13 and 10, respectively, sometimes known as rn) used to indicate the end of a line (EOL). The CRLF sequence is used in operating systems such as Windows (but not Linux/UNIX), as well as Internet protocols such as HTTP.
The most frequent applications for CRLF injection attacks are log poisoning and HTTP response splitting. In the first instance, the attacker forges log file entries by adding a line break and an extra line. This can be used to conceal other assaults or to perplex system administrators. In the second situation, CRLF injection is used to insert HTTP headers into the HTTP response and, for example, execute an XSS attack that results in information exposure. To add SMTP headers to emails, a similar technique known as Email Header Injection can be employed.
Example: CRLF injection in a log file
Consider a log file in an admin panel that has the output stream pattern IP – Time – Visited Path, as shown below:
179.179.179.179 - 07:45 - /index.do?page=home
If an attacker can insert CRLF characters into the HTTP request, they can modify the output stream and create bogus log entries. The web application’s answer may be altered to something like this:
/index.do?page=home&%0d%0a127.0.0.1 - 07:45 - /index.do?page=home&restrictedaction=edit
The %0d and %0a are URL-encoded forms of CR and LF. As a result, when the attacker entered those characters and the program displayed them (IP – Time – Visited Path), the log entries would appear like this:
179.179.179.179 - 07:45 - /index.do?page=home&
127.0.0.1 - 07:45 - /index.do?page=home&restrictedaction=edit
Attackers can conceal their activity by exploiting a CRLF injection vulnerability in the log file. In this situation, the attacker is essentially stealing the website and altering the response.
Consider the following scenario: the attacker possesses the admin password and utilizes the restricted action parameter, which can only be used by an administrator. If an administrator detects an unrecognized IP using the restricted action option, he or she may assume nefarious behavior. However, because the command appears to have been given by the localhost (and hence by someone with access to the server, such as an administrator), it does not appear suspicious.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.