CRLF injection/HTTP response splitting

CRLF injection/HTTP response splitting

Published on 2004-09-03. Updated on 2009-04-22.

Description:
This script is possibly vulnerable to CRLF injection attacks.

HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.

Impact:
Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.

Recommendation:
You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.

Tags: Scripts

Alert Tags: crlf_injection,http_response_splitting
ApplicableApplicationServer : All
ApplicableOS: All
ApplicableWebServer: All

References:

Acunetix CRLF Injection Attack

Whitepaper - HTTP Response Splitting

Introduction to HTTP Response Splitting

CRLF injection

HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics

PHP header() CRLF Injection

Go Back

• Product Information
• Download
• Product Tour
• Brochure (PDF)
• Pricing
• Testimonials
• Customer references
• Resell Acunetix
• Acunetix in the Press
• List of vulnerability checks

• Learn more
• SQL Injection
• Cross site scripting
• Web Security
• Directory Traversal
• Ajax Application Security
• Google Hacking