43 lines
1.1 KiB
Markdown
43 lines
1.1 KiB
Markdown
|
+++
|
||
|
|
title = 'HowWorks CRLF'
|
||
|
|
date = 2025-01-14
|
||
|
|
+++
|
||
|
|
|
||
|
|
> 'HowWorks' - new post type, explains how something works, in that case CRLF vulnerability
|
||
|
|
|
||
|
|
If we can inject some data in web app that doesn't get proper validation/filtering and used in HTTP response Headers, then we can inject `\r\n` (HTTP line break, CRLF).
|
||
|
|
|
||
|
|
You can think of it as stored XSS, but instead Javascript, we inject `\r\n` which will allow to effectivly modify entire HTTP response from server to specific endpoint.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
Example - set name to `username%0d%0aLocation:http://malicioussite.com/` to redirect anyone who access your username in url.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
[Impact](https://www.imperva.com/learn/application-security/crlf-injection/):
|
||
|
|
- XSS
|
||
|
|
- Log Injection
|
||
|
|
- HTTP Header Injection
|
||
|
|
- HTTP Response Splitting
|
||
|
|
- Log Tampering
|
||
|
|
- Cookie Injection
|
||
|
|
- Phishing
|
||
|
|
- Web Cache Poisoning
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
It's a rare bug nowadays.
|
||
|
|
|
||
|
|
> Truth be told, I thought it's more complex
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
{{< source >}}
|
||
|
|
https://owasp.org/www-community/vulnerabilities/CRLF_Injection
|
||
|
|
https://www.imperva.com/learn/application-security/crlf-injection/
|
||
|
|
{{< /source >}}
|
||
|
|
|