CRLF
The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
Summary
CRLF - Add a cookie
CRLF - Add a cookie - XSS Bypass
CRLF - Write HTML
CRLF - Filter Bypass
References
CRLF - Add a cookie
Requested page
HTTP Response
CRLF - Add a cookie - XSS Bypass
Requested page
HTTP Response
CRLF - Write HTML
Requested page
HTTP response
CRLF - Filter Bypass
Using UTF-8 encoding
Remainder:
%E5%98%8A = %0A = \u560a
%E5%98%8D = %0D = \u560d
%E5%98%BE = %3E = \u563e (>)
%E5%98%BC = %3C = \u563c (<)
Exploitation Tricks
Try to search for parameters that lead to redirects and fuzz them
Also test the mobile version of the website, sometimes it is different or uses a different backend
CRLF Injections
References
https://www.owasp.org/index.php/CRLF_Injection
https://vulners.com/hackerone/H1:192749
Last updated