27 lines
987 B
Markdown
27 lines
987 B
Markdown
|
+++
|
||
|
title = 'HowTo CRLF'
|
||
|
date = 2024-09-18
|
||
|
+++
|
||
|
|
||
|
|
||
|
Mostly fixed thing! May occure in some handwritten web-servers<!--more-->
|
||
|
|
||
|
CRLF - Carriege Return (\r) Line Feed (\n) (or %0d %0a)
|
||
|
|
||
|
|
||
|
|
||
|
Inserting \r\n into URL allow attacker to:
|
||
|
- log splitting - to insert logs to server that may decieve administrator
|
||
|
- HTTP response slpitting - Allows to add HTTP headers to the HTTP response <!-- TODO how does it work? -->
|
||
|
- XSS - `www.target.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E` - disables XSS protection, set location to custom (but does it work without 302/201 status???), sets html content-type and injects javascript.
|
||
|
- cookie injection
|
||
|
- check another note
|
||
|
|
||
|
For example:
|
||
|
`GET /%0d%0aSet-Cookie:CRLFInjection=PreritPathak HTTP/1.1`
|
||
|
Will add `Set-Cookie:CRLFInjection=PreritPathak` header to HTTP response
|
||
|
|
||
|
{{< source >}}
|
||
|
https://www.geeksforgeeks.org/crlf-injection-attack/
|
||
|
{{< /source >}}
|