What is CRLF Injection ?
CRLF Injection vulnerability occurs when attackers insert CRLF (Carriage Return Line Feed) characters in user input. This can allow them to perform malicious activities such as HTTP header injection and cross-site scripting. into user input. When this happens, it can give the attacker the ability to carry out malicious activities, such as HTTP header injection and cross-site scripting. If left unaddressed, these vulnerabilities can enable the attacker to execute code or tamper with data on the compromised website or application.
The Story
Microsoft Hall of Fame, the coveted list of bug hunters, has a new name to add. Neh Patel, a security researcher from India, has successfully found and reported a P2 vulnerability to Microsoft. The hunter earned a 4-digit bounty and a place in the Hall of Fame. Patel, who is known by nickname “THECYBERNEH“.
Patel found the vulnerability after spending several weeks searching for valid vulnerabilities in Microsoft’s websites. He tested over 50 to 70 subdomains, focusing on subdomains that offered premium features as these were less likely to have been explored by other security teams.
The vulnerability he found was a CRLF lead to XSS (Cross-Site Scripting).
CRLF is a type of vulnerability that occurs when a web server directly renders special characters without encoding them and passes them to response headers like Location, Set-Cookie, etc.
Patel started his search for this vulnerability by attempting a “Host Header Injection” and other non-functional tests. He also tried CRLF injection, where he fired a payload that included the special characters “%0D%0A%20Set-Cookie:whoami=thecyberneh“. However, the response he received was “400 Bad Request”.
After observing the response, Patel realized that the server was not well protected or had a weak firewall. He confirmed this suspicion by trying random URLs, which resulted in “404 Not Found” responses. He then modified his payload to bypass the firewall and was successful in exploiting the CRLF to XSS vulnerability.
Patel reported the vulnerability to Microsoft and was awarded a $6,000 bounty and a place in the Hall of Fame.
In conclusion, Neh Patel’s success demonstrates the importance of perseverance and creativity in finding and reporting vulnerabilities.. His discovery of a CRLF to XSS vulnerability in Microsoft’s systems highlights the need for companies to keep their security systems up to date and to continuously monitor and test their systems for vulnerabilities.
How to Prevent CRLF Injection?
To prevent CRLF Injection, consider the following steps:
- Input validation: Perform input validation on user-supplied data, such as filtering out CRLF characters, and ensure that it meets the expected format.
- Output encoding: Sanitize user-supplied data by encoding it before displaying it in the output. This can prevent malicious users from injecting CRLF characters and other malicious code.
- Use safe APIs: Use safe APIs that are not susceptible to CRLF injection, such as those provided by the programming language or framework you are using.
- Security testing: Conduct security testing, including penetration testing and vulnerability scanning, to identify and address CRLF injection vulnerabilities.
- Keep software up-to-date: Keep your software up-to-date to ensure that known vulnerabilities are patched and your application is protected against the latest attacks.
By implementing these steps, you can reduce the risk of CRLF injection attacks and improve the security of your web applications.
Link to read full write up: here
Save the PDF here
