CRLF Injection

What is it

Also known as HTTP response splitting it is a simple but powerful web attack. CR (Carriage Return) and LF (Line Feed) are two important components of an HTTP response header that tells the browser (and other components in between like proxy servers and caching servers) that the data has been transferred and the connection can be closed.

By inserting CRLF in a response and sending incomplete data, the system / application runs into chaos as the output is not in expected format resulting in unexpected outputs.

How serious is it

CRLF vulnerabilities are usually exploited so that other exploits (proxy server poisoning, cache server poisoning, session hijacking and also web site defacement) can be enabled (also called chained exploits).

The impact of CRLF Injection may result in

  • XSS
  • Website defacement
  • Proxy server poisoning
  • Browser poisoning
  • Session hijacking
  • Installing malicious software like key loggers, virus, Trojans, worms etc.
  • Gaining access to data contained in your system (loss of Confidentiality)
  • Possibility of loss of data (loss of Availability);
  • The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and implementation.

    How to prevent

    Verify user input. In other words never trust the user. Always sanitize the user input so that any response splitting attack could be stopped.

    Implement Secure Software Development Lifecycle (SSDLC)

    Secure Coding guidelines although critical form ONLY a piece of the puzzle. In order to ensure that applications are secure, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.