Coders Conquer Security: Share & Learn Series - CRLF Injection
With blogs or articles like this one, readers are aided by punctuation marks. For example, periods tell readers where a sentence ends, while commas either separate articles in lists or insert hard pauses to help separate ideas. With a well-written blog (like this one), the punctuation is almost invisible, just part of the standard background code that we all learned to process many years ago.
But what happens if a hacker gets into this article and inserts weird punctuation marks in the wrong places? Like this:
Without,even! changing. the, text. it? can. make it! much? harder. to? process! the, information!
That is basically what happens with a CRLF injection attack. The CRLF letters stand for Carriage Return and Line Feed, which are used individually or together to note the termination of a line. If an attacker can insert a CR or LF code into an existing application, they can sometimes change its behavior. The effects are less easy to predict compared with most attacks, but can be no less dangerous to the target organization.
In this episode we will learn:
- How attackers can trigger a CRLF injection
- Why CRLF injections are dangerous
- Techniques that can fix this vulnerability.
How do Attackers Trigger a CRLF Injection?
Injecting CRLF characters into existing code and trying to produce a specific result is rather difficult, though not impossible. It's made harder because an attacker would need to use different CRLF combinations depending on the operating system and other factors of the targeted system. For example, modern Windows machines require both a CR and LF to end a line, while over on Linux, only the LF code is needed. HTTP requests always require a precise CRLF code to end a line.
But beyond the fact that CRLF attacks are difficult to implement, and even harder to predict their results, they are initiated in much the same way as other injection type attacks. A malicious user simply enters data into any area on a website or application that allows it, only they enter the CRLF code instead of, or after, normal input data.
For example, an attacker could enter the ASCII code representing a carriage return (%0d) followed by ASCII for a line feed (%0a) at the end of an HTTPS header. The whole query would then look like this:
https://validsite.com/index.php?page=home%0d%0a
If the data is not sanitized or filtered, the above code might allow some strange things to happen on the target application or website.
Why are CRLF Injections Dangerous?
While CRLF injection attacks are less precise than most, they can be fairly dangerous at least some of the time. At the low end, adding an extra line can mess up log files, which might trigger automatic cybersecurity defenses to alert administrators to a non-issue. However, this could be used to divert resources away from an actual incursion occurring at the same time.
But CRLF attacks can also be directly damaging. For example, if an application is designed to accept commands and then search for a specific file, adding a CRLF code to the query might trigger the application to display that process to the screen instead of keeping it hidden, which could provide valuable information for an attacker.
CRLF injections can also be used to create what is called a response splitting attack, where the end of line codes break up a valid response into multiple pieces. That can give hackers control of the header after the CRLF code, which can be used to inject additional code. It can also be used to create an opening where the attacker can fully inject their own code, and likely trigger another form of attack, on any line following the part broken by the CRLF attack.
Eliminating the CRLF Injection Vulnerability
If there is one key message to take away from this series, it's to never, ever trust user input. Most of the vulnerabilities we have covered in this series have involved user input areas in one way or another, and the CRLF injection flaw is no exception.
At any point where a user can enter input, filters must be applied to prevent the injection of unauthorized code that might be misinterpreted by the application or server. For CRLF attacks, locking down HTTP headers is especially important, but you also can't forget GET and POST parameters or even Cookies. One great way to specifically thwart CRLF codes from helping to trigger further injections is to apply HTML encoding to anything and everything sent back to a user's browser.
More Information about CRLF Injections
For further reading, you can take a look at what OWASP says about CRLF injections. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
If an attacker can insert a CR or LF code into an existing application, they can sometimes change its behavior. The effects are less easy to predict compared with most attacks, but can be no less dangerous to the target organization.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
With blogs or articles like this one, readers are aided by punctuation marks. For example, periods tell readers where a sentence ends, while commas either separate articles in lists or insert hard pauses to help separate ideas. With a well-written blog (like this one), the punctuation is almost invisible, just part of the standard background code that we all learned to process many years ago.
But what happens if a hacker gets into this article and inserts weird punctuation marks in the wrong places? Like this:
Without,even! changing. the, text. it? can. make it! much? harder. to? process! the, information!
That is basically what happens with a CRLF injection attack. The CRLF letters stand for Carriage Return and Line Feed, which are used individually or together to note the termination of a line. If an attacker can insert a CR or LF code into an existing application, they can sometimes change its behavior. The effects are less easy to predict compared with most attacks, but can be no less dangerous to the target organization.
In this episode we will learn:
- How attackers can trigger a CRLF injection
- Why CRLF injections are dangerous
- Techniques that can fix this vulnerability.
How do Attackers Trigger a CRLF Injection?
Injecting CRLF characters into existing code and trying to produce a specific result is rather difficult, though not impossible. It's made harder because an attacker would need to use different CRLF combinations depending on the operating system and other factors of the targeted system. For example, modern Windows machines require both a CR and LF to end a line, while over on Linux, only the LF code is needed. HTTP requests always require a precise CRLF code to end a line.
But beyond the fact that CRLF attacks are difficult to implement, and even harder to predict their results, they are initiated in much the same way as other injection type attacks. A malicious user simply enters data into any area on a website or application that allows it, only they enter the CRLF code instead of, or after, normal input data.
For example, an attacker could enter the ASCII code representing a carriage return (%0d) followed by ASCII for a line feed (%0a) at the end of an HTTPS header. The whole query would then look like this:
https://validsite.com/index.php?page=home%0d%0a
If the data is not sanitized or filtered, the above code might allow some strange things to happen on the target application or website.
Why are CRLF Injections Dangerous?
While CRLF injection attacks are less precise than most, they can be fairly dangerous at least some of the time. At the low end, adding an extra line can mess up log files, which might trigger automatic cybersecurity defenses to alert administrators to a non-issue. However, this could be used to divert resources away from an actual incursion occurring at the same time.
But CRLF attacks can also be directly damaging. For example, if an application is designed to accept commands and then search for a specific file, adding a CRLF code to the query might trigger the application to display that process to the screen instead of keeping it hidden, which could provide valuable information for an attacker.
CRLF injections can also be used to create what is called a response splitting attack, where the end of line codes break up a valid response into multiple pieces. That can give hackers control of the header after the CRLF code, which can be used to inject additional code. It can also be used to create an opening where the attacker can fully inject their own code, and likely trigger another form of attack, on any line following the part broken by the CRLF attack.
Eliminating the CRLF Injection Vulnerability
If there is one key message to take away from this series, it's to never, ever trust user input. Most of the vulnerabilities we have covered in this series have involved user input areas in one way or another, and the CRLF injection flaw is no exception.
At any point where a user can enter input, filters must be applied to prevent the injection of unauthorized code that might be misinterpreted by the application or server. For CRLF attacks, locking down HTTP headers is especially important, but you also can't forget GET and POST parameters or even Cookies. One great way to specifically thwart CRLF codes from helping to trigger further injections is to apply HTML encoding to anything and everything sent back to a user's browser.
More Information about CRLF Injections
For further reading, you can take a look at what OWASP says about CRLF injections. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
With blogs or articles like this one, readers are aided by punctuation marks. For example, periods tell readers where a sentence ends, while commas either separate articles in lists or insert hard pauses to help separate ideas. With a well-written blog (like this one), the punctuation is almost invisible, just part of the standard background code that we all learned to process many years ago.
But what happens if a hacker gets into this article and inserts weird punctuation marks in the wrong places? Like this:
Without,even! changing. the, text. it? can. make it! much? harder. to? process! the, information!
That is basically what happens with a CRLF injection attack. The CRLF letters stand for Carriage Return and Line Feed, which are used individually or together to note the termination of a line. If an attacker can insert a CR or LF code into an existing application, they can sometimes change its behavior. The effects are less easy to predict compared with most attacks, but can be no less dangerous to the target organization.
In this episode we will learn:
- How attackers can trigger a CRLF injection
- Why CRLF injections are dangerous
- Techniques that can fix this vulnerability.
How do Attackers Trigger a CRLF Injection?
Injecting CRLF characters into existing code and trying to produce a specific result is rather difficult, though not impossible. It's made harder because an attacker would need to use different CRLF combinations depending on the operating system and other factors of the targeted system. For example, modern Windows machines require both a CR and LF to end a line, while over on Linux, only the LF code is needed. HTTP requests always require a precise CRLF code to end a line.
But beyond the fact that CRLF attacks are difficult to implement, and even harder to predict their results, they are initiated in much the same way as other injection type attacks. A malicious user simply enters data into any area on a website or application that allows it, only they enter the CRLF code instead of, or after, normal input data.
For example, an attacker could enter the ASCII code representing a carriage return (%0d) followed by ASCII for a line feed (%0a) at the end of an HTTPS header. The whole query would then look like this:
https://validsite.com/index.php?page=home%0d%0a
If the data is not sanitized or filtered, the above code might allow some strange things to happen on the target application or website.
Why are CRLF Injections Dangerous?
While CRLF injection attacks are less precise than most, they can be fairly dangerous at least some of the time. At the low end, adding an extra line can mess up log files, which might trigger automatic cybersecurity defenses to alert administrators to a non-issue. However, this could be used to divert resources away from an actual incursion occurring at the same time.
But CRLF attacks can also be directly damaging. For example, if an application is designed to accept commands and then search for a specific file, adding a CRLF code to the query might trigger the application to display that process to the screen instead of keeping it hidden, which could provide valuable information for an attacker.
CRLF injections can also be used to create what is called a response splitting attack, where the end of line codes break up a valid response into multiple pieces. That can give hackers control of the header after the CRLF code, which can be used to inject additional code. It can also be used to create an opening where the attacker can fully inject their own code, and likely trigger another form of attack, on any line following the part broken by the CRLF attack.
Eliminating the CRLF Injection Vulnerability
If there is one key message to take away from this series, it's to never, ever trust user input. Most of the vulnerabilities we have covered in this series have involved user input areas in one way or another, and the CRLF injection flaw is no exception.
At any point where a user can enter input, filters must be applied to prevent the injection of unauthorized code that might be misinterpreted by the application or server. For CRLF attacks, locking down HTTP headers is especially important, but you also can't forget GET and POST parameters or even Cookies. One great way to specifically thwart CRLF codes from helping to trigger further injections is to apply HTML encoding to anything and everything sent back to a user's browser.
More Information about CRLF Injections
For further reading, you can take a look at what OWASP says about CRLF injections. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
With blogs or articles like this one, readers are aided by punctuation marks. For example, periods tell readers where a sentence ends, while commas either separate articles in lists or insert hard pauses to help separate ideas. With a well-written blog (like this one), the punctuation is almost invisible, just part of the standard background code that we all learned to process many years ago.
But what happens if a hacker gets into this article and inserts weird punctuation marks in the wrong places? Like this:
Without,even! changing. the, text. it? can. make it! much? harder. to? process! the, information!
That is basically what happens with a CRLF injection attack. The CRLF letters stand for Carriage Return and Line Feed, which are used individually or together to note the termination of a line. If an attacker can insert a CR or LF code into an existing application, they can sometimes change its behavior. The effects are less easy to predict compared with most attacks, but can be no less dangerous to the target organization.
In this episode we will learn:
- How attackers can trigger a CRLF injection
- Why CRLF injections are dangerous
- Techniques that can fix this vulnerability.
How do Attackers Trigger a CRLF Injection?
Injecting CRLF characters into existing code and trying to produce a specific result is rather difficult, though not impossible. It's made harder because an attacker would need to use different CRLF combinations depending on the operating system and other factors of the targeted system. For example, modern Windows machines require both a CR and LF to end a line, while over on Linux, only the LF code is needed. HTTP requests always require a precise CRLF code to end a line.
But beyond the fact that CRLF attacks are difficult to implement, and even harder to predict their results, they are initiated in much the same way as other injection type attacks. A malicious user simply enters data into any area on a website or application that allows it, only they enter the CRLF code instead of, or after, normal input data.
For example, an attacker could enter the ASCII code representing a carriage return (%0d) followed by ASCII for a line feed (%0a) at the end of an HTTPS header. The whole query would then look like this:
https://validsite.com/index.php?page=home%0d%0a
If the data is not sanitized or filtered, the above code might allow some strange things to happen on the target application or website.
Why are CRLF Injections Dangerous?
While CRLF injection attacks are less precise than most, they can be fairly dangerous at least some of the time. At the low end, adding an extra line can mess up log files, which might trigger automatic cybersecurity defenses to alert administrators to a non-issue. However, this could be used to divert resources away from an actual incursion occurring at the same time.
But CRLF attacks can also be directly damaging. For example, if an application is designed to accept commands and then search for a specific file, adding a CRLF code to the query might trigger the application to display that process to the screen instead of keeping it hidden, which could provide valuable information for an attacker.
CRLF injections can also be used to create what is called a response splitting attack, where the end of line codes break up a valid response into multiple pieces. That can give hackers control of the header after the CRLF code, which can be used to inject additional code. It can also be used to create an opening where the attacker can fully inject their own code, and likely trigger another form of attack, on any line following the part broken by the CRLF attack.
Eliminating the CRLF Injection Vulnerability
If there is one key message to take away from this series, it's to never, ever trust user input. Most of the vulnerabilities we have covered in this series have involved user input areas in one way or another, and the CRLF injection flaw is no exception.
At any point where a user can enter input, filters must be applied to prevent the injection of unauthorized code that might be misinterpreted by the application or server. For CRLF attacks, locking down HTTP headers is especially important, but you also can't forget GET and POST parameters or even Cookies. One great way to specifically thwart CRLF codes from helping to trigger further injections is to apply HTML encoding to anything and everything sent back to a user's browser.
More Information about CRLF Injections
For further reading, you can take a look at what OWASP says about CRLF injections. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.