CRLF stands for the special characters Carriage Return (\r) and Line Feed (\n), two elements used in specific operating systems, such as Windows, as well as various internet protocols like HTTP. Carriage Return signifies the end of a line, whereas Line Feed denotes a new line.
Usually, the purpose of the CRLF combination is to signal where an object in a text stream ends or begins. For example, when a client (browser) requests content on a website, the server returns the content with HTTP headers called the response body. The headers in the response are separated from the actual website content through CR and LF.
What is a CRLF injection attack?
However, the CRLF character sequence can be used in a malicious way known as a CRLF injection attack. This attack is a server-side injection at the application layer.
By exploiting a CRLF injection vulnerability in the server that allows user input from an untrusted source, attackers can split text streams and introduce malicious content that isn’t neutralized or sanitized.
For such an attack to be successful, a server must both allow such user input and be vulnerable to the use of CRLF characters. I.e., if the platform does not use these characters, it will not be vulnerable, even if unsanitized user input can make it through.
If a CRLF injection is successful, this can open the door for further exploits such as cross-site scripting (XSS), web server cache poisoning or client web browser poisoning, client session hijacking, cookie injections, phishing attacks, website defacement, and more.
In other words, a CRLF injection attack typically is not an end itself but rather a means to open the door for further attacks.
What are the types of CRLF injections?
There are two main types of CRLF injections: HTTP response splitting and log injection. Read more about them below.
A more accurate name for this type of injection is Improper Neutralization of CRLF Sequences in HTTP Headers. This name also describes the main vulnerability associated with the attack.
If a server does not properly sanitize user-provided input, attackers can inject CRLF characters and a text sequence of their own or inject HTTP headers. The purpose of this is to force the server to perform a particular action.
After the injection, the server will respond to the client by including the attackers’ instructions in the response header. Moreover, once attackers have managed to split the response, they can create different responses and send them to the client.
Receiving the instructions, the browser will carry them out. The result of this may be to open the door for further attacks or to carry out actions that lead to a breach and compromise of data.
Log injections are also known as log poisoning or log splitting. This attack entails inserting untrusted or unvalidated data into a log file. Such a file can be anything from a system log to a user or access log and more.
There are several types of log injection attacks. One is to corrupt a log and make it unusable or to forge it and change its data, creating fake log entries. Log forging can be used to cover traces of an attack, draw attention to another party and create confusion, and divert attention from other possible attacks that are being launched at the same time.
The second use of log injection is to launch an XSS attack via the log when viewed due to vulnerabilities in a web application. A third way of establishing a log injection is to insert commands that a parser could execute upon reading the log.
In either of these cases, attackers rely on the possibility of injecting unsanitized data into logs with the help of CRLF characters.
What is the impact of CRLF injection attacks?
Most modern servers are likely not vulnerable to CRLF injections as administrators have taken the necessary steps to prevent their possibility. However, depending on the level of security that an application has, the severity of a CRLF injection can range from minor to very serious.
A successful CRLF injection can have all the consequences of an XSS attack, cross-site request forgery (CSRF) – such as the disclosure or corruption of sensitive user information. Such an attack can potentially lead to an entire file system being deleted if attackers can gain the necessary access.
How to avoid CRLF injection vulnerabilities?
Luckily, vulnerabilities that may lead to a CRLF injection can easily be fixed. Here are some of the ways in which you can protect your application against them:
- Never trust user input and use it directly in the HTTP stream
- Sanitize and validate all user-supplied input before it reaches response headers and/or encode output in HTTP headers that are visible to users to prevent injection in the response
- Encode CRLF characters so that they are not recognized by the server, even when provided
- Remove newline characters before passing content into the header
- Disable any unnecessary/unused headers in the webserver
- Remove CRLF from the data before logging it
- Apply all the latest patches
- Scan regularly