For bug bounty in fintech, I spend three minutes to detect CRLF Pointin the Reddirect Engrade - and Two hours escalating to XSS throughHTTP response splitting with the administrator session capture. TheTrianger Put Medium, While the chain is led to the full session ofhijacking through the framed Set-Cookie. I had to write a detailedcomment from the video-PoC to be revised. CRLF injection is notincluded in OWASP Top 10 as a separate class - it fall under A03:2021Injection - but with a philon escalation of two injected bytes (witha escolation) (\r\n) become a full-contempored capture of thesession. Let's analyze the mechanic from byte sequence to kill chainon real CVE.
The CRLF Pointsite in the attacking
CRLF injection isnot the final target, but the entry point. It Costs a Penny on anybug bounty platform. The Value Iss When the Glass Out of it. - By tothe MITRE ATT&C classification, it covers Decaling tactics on theescalation vector:
Typical chain:CRLF injection in the answer title → Injection Set-Cookie forsession fixation (T1606.001), or response splitting from XSS(T1059.007) for theft of cookie (T15539) → lateral movement throughthe web wandering-session (T155.004). It is the choice of theescalation vector that determined the final severity. Naked CRLFwithout chain on most platforms - Low or Informational. With thechain to session hijacking - a different contradict.
InjectionMechanics: Encodings, Servers and Bypasses
HTTP/1.1 use theCR sequence (ASCII 13, \r) + LF (ASCII 10, \n) as a headlineseparator. Single CRLF separates reasoning with each other, doubleCRLF (\r\n\r\n) separates the headlines from the body of the answer.Po CWE-93 (IMproper Neutralization of CRLF Sequences) VulnerabilityWhen an Application None Nellitable The CLF from user input. CWE-74(Injection) describes a class: wider application forms the datastructure from external input without filtering special symbols - andthe attacker modinates data, bypasses protection, change the logic ofexecution.
Encoding andBending Filters
Symbols \r\n inReview through the standard HTTP client or WAF will not pass. Thework optional status on the context:
The fundamentaldifference between %0d%0a and text \r\n: the first is URL-encodedControllers that the web server before transferring the value to theapplication. If the application inserts a decoded value the HTTPtitle without sanitary assessment - CRLF injection taken place. Thesecond is four printed characters that do not control the codes.Confusion between them is the common cause of false-negative testing.
Differences inCRLF processing on different servers
Behavior when CRLFmeet in user input on the stack. This is critical when greetingpayload - what works on Node.js, may not take place on Apache, andvice versa.
Node.js (httpmodule) - historically free bare LP (\n) as a headline separator,Exlandation the surface of the attack. In a number of versionshttp.request() allowed the injection through the headlines, which ledto a TWCE in the Ecosystem. Current versions of Node.js filter CRLFin res.setHeader(), but manual formation of the response throughres.socket.write() is averse. And it is this pattern that Exam in thelegacy code more often than we will be like.
Nginx - when usedas a reverse proxy with directive proxy_set_set_header andsubstitution of variables $arg_* can CRLF sequences to a backend ifthe value not pass filtering through map. Nginxs itself is not allowfor CRLF when generated a response in the headlines - here is good.
Apache -mod_headers shielding CRL when you add headers through Header set.Vulnerability is maintained when used ErrorDocument with user data ormod_rewrite with injection into the title location. The second optionI mem on real projects - someone write RewriteRule with%{QUERY_STRING} Right in Location, and hello.
Frigcuits(Express.js, Django, Spring Boot) - neutralize CRLF in standard APIsto install headers in current versions. The Vables Expes when theHTTP response is manually generated through raw socket, the use ofoutdated products or proxy layers that supply user data to theprocession. The framework protects - but only if it works, and notbye.
HTTP ResponseSplitting and exercised during CRLF
Session fixationvia Set-Cookie injection
The Shelst vectoris the injection of the header Set-Cookie in the HTTP answer. If theapplication substitutes user input to the title (typically): Locationwith the Redistribution, Content-Disposition downloading a file,custom headers), the attacker adds CRLF and your headline.
Example: theappformose title X-Custom-Name: <user_input>. The AttackerGosts a valuetest%0d%0aSet-Cookie:%20session=attacker_value;%20Path=/. If theserver not filter CRLF, answer the answer additional an titleSet-Cookie: session=attacker_value; Path=/. The victim browserreceives the selected cookie - session fixation is ready. Theattacker more knows the importance of the session that the victimwill use. By MITRE ATT&CK - Web Cookies (T1606.001, CredentialAccess).
One title, twobytes and the session is fixed. It remains to wait before the victimpledge is a dd.
XSS via responsesplitting
Double CRLF(%0d%0a%0d%0a) also details of the legend of and the process of theanswer. Everything that goes after a double CRLF, the browser Internsas HTML/JavaScript.
By the descriptionfrom Acunetix, a full HTTP response splitting is built as : following
Logic:Content-Length: 0 Makes the browser consider the first answer to befull. Next, the second “respense” begins with its own titles andbody collection JavaScript. The Beachr is a script is XSS(T1059.007), which is then used to steal cookies (T1539) or thesession interception (T1185).
In practice, thefull-complex reaction splitting with two "answers" in themodern stacks longsex works – servers and proxy normalize headers.But Injection of one (Set-Cookie, Location)Access-Control-Allow-Origin) through single CRLF works much moreoften. And that's.
Web cache Poloningvia CRLF
When the HTTP TheImpact with the Point is Chached by an Intermediate Proxy (Varnish,Squid, CDN-edge), each re-ever receives a poisoned response. Onequery of the attacker via CDN thousands can affect of Users beforethe expiration of TTL cache. Po CWE-113 (Improper) Neutralization ofCRF Sequences in HTTP Headers) cache poisoning - One of the mainconsequences of HTTP response splitting.
But there is anuance: cache poisoning through CRLF only works between the clientand the server is a caching proxy, this proxy does not normalize theHTTP header before caching, and the application CRLF before theformation of the response. Without a caching proxy vector is limitedto a single victim. But if there is a proxy and itches - the scale ofthe lesion grows in order .
CVE-2023-4767:CRLF in ManageEngine Desktop Central
The Analysis ofthe real CVE show how CRLF injection looks in the production code ofthe corporate product. Not in the curriculum, but in a system thatmanages of workstations.
CVE-2023-4767 -CRLF injection in ManageEngine Desktop Central version 9.1.0 (ZohoCorp.). Vulnerable parameter - filename at the Endpoint/STATE_ID/1613157927228/InvSWMetering.csv.
Analysis of theCVSS vector by components: AV:N - attack on the network, local accessis not need. AC:L - low complexity of operation, no specialconditions. PR:N - Privileges are not required, the endpoint isavailable without authentication. UI:R - you need the user's action(the victim clicks on the link). S:C - Changeddd: the vulnerabilitythe server component another affect security domain. C:L / I:L - lowimpact on privacy and integrity (cookie manipulation, header) theinjection). A:N - accessibility is not affected.
Parameter fileNamesubd in the HTTP answer header (presumably Content-Disposition)without neutralizing CRLF. The Attacker Flots the URL with %0d%0a inthe meaning of fileName, sends the victim (hence UI:R in the vector)- and injects arbitrary HTTP headers in Response to the server.
ManageEngineDesktop Central is an enterprise end-of-degree management system. CRFinjection in such a product is the Exploit Public-Facting Application(T1190): the product is put on the network, the attack do notrequirement. Escalation to hicking after the framed Set-Cookie - aquestion of one headline. and that Desktop Central by its natureaccess to all managed hosts, the impact of the hijacked admin sessiongo far beyond CVSS 6.1.
Detection andoperation of CRLF injection
Adjustments to theEnvironment
• OS: Kali Linux2024+, Parrot OS, macOS or Windows with Burp Suite installed
• Tools: BurpSuite Community/Pro (Repeater), curl 7.80+, nuclei 3.x (optional)
• • Network:access to the target application (test environment or bug bountyscop)
• •Privileges: Not required - CRLF injection is in most operating caseswithout authentication
Where WAF catchesCRLF injection - and where it misses
Most WAF(ModSecureity with CRS, Cloudflare WAF, AWS WAF) Dete Standard %0d%0ain URL parameters, a basic rule that out of the box. But a number ofscenarios pass by:
On the side ofserver frameworks - Express.js (res.setHeader()), Django(HttpResponse), Spring Boot (HttpServleReponse.setHead()) neutralizeCRLF in current versions. The Vable Lives in the manual formation ofthe HTTP response through raw socket, outdated of versions oflibraries and middleware layers that substitute user data IntoneHeadlines to the Prids.
A separate vectoris log injection. WAF is not an assistant at all - it protects HTTPanswers, not server logs. If application is writing a user input tothe log without CRLF filtering, the attackers substitute falseentries: a string with IP get into the log 127.0.0.1 instead of areal IP. This is not HTTP response splitting, but in a pentest istake to hide the traces - tampered log complicates the investigation.
For Four Years inbug bounty, I can say: CRLF injection is found about every tenth webapplication with a legacy code. The pattern is the same ProtectersSQL injection and XSS, but the headlines are forgotten. CRLFinjection is subject to A03:2021 Injection in OWASP Top 10, but inthe checklists of developers, a item separate is The rare show. Theframework protects the standard API, and custom Indicable, Invention,What Issue Content-Disposition by the Name of the File from therequest, a hole in the size of two bytes.
The CRLF Pointsite in the attacking
CRLF injection isnot the final target, but the entry point. It Costs a Penny on anybug bounty platform. The Value Iss When the Glass Out of it. - By tothe MITRE ATT&C classification, it covers Decaling tactics on theescalation vector:
Typical chain:CRLF injection in the answer title → Injection Set-Cookie forsession fixation (T1606.001), or response splitting from XSS(T1059.007) for theft of cookie (T15539) → lateral movement throughthe web wandering-session (T155.004). It is the choice of theescalation vector that determined the final severity. Naked CRLFwithout chain on most platforms - Low or Informational. With thechain to session hijacking - a different contradict.
InjectionMechanics: Encodings, Servers and Bypasses
HTTP/1.1 use theCR sequence (ASCII 13, \r) + LF (ASCII 10, \n) as a headlineseparator. Single CRLF separates reasoning with each other, doubleCRLF (\r\n\r\n) separates the headlines from the body of the answer.Po CWE-93 (IMproper Neutralization of CRLF Sequences) VulnerabilityWhen an Application None Nellitable The CLF from user input. CWE-74(Injection) describes a class: wider application forms the datastructure from external input without filtering special symbols - andthe attacker modinates data, bypasses protection, change the logic ofexecution.
Encoding andBending Filters
Symbols \r\n inReview through the standard HTTP client or WAF will not pass. Thework optional status on the context:
The fundamentaldifference between %0d%0a and text \r\n: the first is URL-encodedControllers that the web server before transferring the value to theapplication. If the application inserts a decoded value the HTTPtitle without sanitary assessment - CRLF injection taken place. Thesecond is four printed characters that do not control the codes.Confusion between them is the common cause of false-negative testing.
Differences inCRLF processing on different servers
Behavior when CRLFmeet in user input on the stack. This is critical when greetingpayload - what works on Node.js, may not take place on Apache, andvice versa.
Node.js (httpmodule) - historically free bare LP (\n) as a headline separator,Exlandation the surface of the attack. In a number of versionshttp.request() allowed the injection through the headlines, which ledto a TWCE in the Ecosystem. Current versions of Node.js filter CRLFin res.setHeader(), but manual formation of the response throughres.socket.write() is averse. And it is this pattern that Exam in thelegacy code more often than we will be like.
Nginx - when usedas a reverse proxy with directive proxy_set_set_header andsubstitution of variables $arg_* can CRLF sequences to a backend ifthe value not pass filtering through map. Nginxs itself is not allowfor CRLF when generated a response in the headlines - here is good.
Apache -mod_headers shielding CRL when you add headers through Header set.Vulnerability is maintained when used ErrorDocument with user data ormod_rewrite with injection into the title location. The second optionI mem on real projects - someone write RewriteRule with%{QUERY_STRING} Right in Location, and hello.
Frigcuits(Express.js, Django, Spring Boot) - neutralize CRLF in standard APIsto install headers in current versions. The Vables Expes when theHTTP response is manually generated through raw socket, the use ofoutdated products or proxy layers that supply user data to theprocession. The framework protects - but only if it works, and notbye.
HTTP ResponseSplitting and exercised during CRLF
Session fixationvia Set-Cookie injection
The Shelst vectoris the injection of the header Set-Cookie in the HTTP answer. If theapplication substitutes user input to the title (typically): Locationwith the Redistribution, Content-Disposition downloading a file,custom headers), the attacker adds CRLF and your headline.
Example: theappformose title X-Custom-Name: <user_input>. The AttackerGosts a valuetest%0d%0aSet-Cookie:%20session=attacker_value;%20Path=/. If theserver not filter CRLF, answer the answer additional an titleSet-Cookie: session=attacker_value; Path=/. The victim browserreceives the selected cookie - session fixation is ready. Theattacker more knows the importance of the session that the victimwill use. By MITRE ATT&CK - Web Cookies (T1606.001, CredentialAccess).
One title, twobytes and the session is fixed. It remains to wait before the victimpledge is a dd.
XSS via responsesplitting
Double CRLF(%0d%0a%0d%0a) also details of the legend of and the process of theanswer. Everything that goes after a double CRLF, the browser Internsas HTML/JavaScript.
By the descriptionfrom Acunetix, a full HTTP response splitting is built as : following
Logic:Content-Length: 0 Makes the browser consider the first answer to befull. Next, the second “respense” begins with its own titles andbody collection JavaScript. The Beachr is a script is XSS(T1059.007), which is then used to steal cookies (T1539) or thesession interception (T1185).
In practice, thefull-complex reaction splitting with two "answers" in themodern stacks longsex works – servers and proxy normalize headers.But Injection of one (Set-Cookie, Location)Access-Control-Allow-Origin) through single CRLF works much moreoften. And that's.
Web cache Poloningvia CRLF
When the HTTP TheImpact with the Point is Chached by an Intermediate Proxy (Varnish,Squid, CDN-edge), each re-ever receives a poisoned response. Onequery of the attacker via CDN thousands can affect of Users beforethe expiration of TTL cache. Po CWE-113 (Improper) Neutralization ofCRF Sequences in HTTP Headers) cache poisoning - One of the mainconsequences of HTTP response splitting.
But there is anuance: cache poisoning through CRLF only works between the clientand the server is a caching proxy, this proxy does not normalize theHTTP header before caching, and the application CRLF before theformation of the response. Without a caching proxy vector is limitedto a single victim. But if there is a proxy and itches - the scale ofthe lesion grows in order .
CVE-2023-4767:CRLF in ManageEngine Desktop Central
The Analysis ofthe real CVE show how CRLF injection looks in the production code ofthe corporate product. Not in the curriculum, but in a system thatmanages of workstations.
CVE-2023-4767 -CRLF injection in ManageEngine Desktop Central version 9.1.0 (ZohoCorp.). Vulnerable parameter - filename at the Endpoint/STATE_ID/1613157927228/InvSWMetering.csv.
Analysis of theCVSS vector by components: AV:N - attack on the network, local accessis not need. AC:L - low complexity of operation, no specialconditions. PR:N - Privileges are not required, the endpoint isavailable without authentication. UI:R - you need the user's action(the victim clicks on the link). S:C - Changeddd: the vulnerabilitythe server component another affect security domain. C:L / I:L - lowimpact on privacy and integrity (cookie manipulation, header) theinjection). A:N - accessibility is not affected.
Parameter fileNamesubd in the HTTP answer header (presumably Content-Disposition)without neutralizing CRLF. The Attacker Flots the URL with %0d%0a inthe meaning of fileName, sends the victim (hence UI:R in the vector)- and injects arbitrary HTTP headers in Response to the server.
ManageEngineDesktop Central is an enterprise end-of-degree management system. CRFinjection in such a product is the Exploit Public-Facting Application(T1190): the product is put on the network, the attack do notrequirement. Escalation to hicking after the framed Set-Cookie - aquestion of one headline. and that Desktop Central by its natureaccess to all managed hosts, the impact of the hijacked admin sessiongo far beyond CVSS 6.1.
Detection andoperation of CRLF injection
Adjustments to theEnvironment
• OS: Kali Linux2024+, Parrot OS, macOS or Windows with Burp Suite installed
• Tools: BurpSuite Community/Pro (Repeater), curl 7.80+, nuclei 3.x (optional)
• • Network:access to the target application (test environment or bug bountyscop)
• •Privileges: Not required - CRLF injection is in most operating caseswithout authentication
Where WAF catchesCRLF injection - and where it misses
Most WAF(ModSecureity with CRS, Cloudflare WAF, AWS WAF) Dete Standard %0d%0ain URL parameters, a basic rule that out of the box. But a number ofscenarios pass by:
On the side ofserver frameworks - Express.js (res.setHeader()), Django(HttpResponse), Spring Boot (HttpServleReponse.setHead()) neutralizeCRLF in current versions. The Vable Lives in the manual formation ofthe HTTP response through raw socket, outdated of versions oflibraries and middleware layers that substitute user data IntoneHeadlines to the Prids.
A separate vectoris log injection. WAF is not an assistant at all - it protects HTTPanswers, not server logs. If application is writing a user input tothe log without CRLF filtering, the attackers substitute falseentries: a string with IP get into the log 127.0.0.1 instead of areal IP. This is not HTTP response splitting, but in a pentest istake to hide the traces - tampered log complicates the investigation.
For Four Years inbug bounty, I can say: CRLF injection is found about every tenth webapplication with a legacy code. The pattern is the same ProtectersSQL injection and XSS, but the headlines are forgotten. CRLFinjection is subject to A03:2021 Injection in OWASP Top 10, but inthe checklists of developers, a item separate is The rare show. Theframework protects the standard API, and custom Indicable, Invention,What Issue Content-Disposition by the Name of the File from therequest, a hole in the size of two bytes.
