CRLF Injection attacks and HTTP Response Splitting

CRLF injection, or HTTP response splitting, is a type of injection attack that can lead to Cross-site Scripting (XSS) and web cache poisoning among others.

CRLF refers to the Carriage Return and Line Feed sequence of special characters. These two special characters represent the End of Line (EOL) marker for many internet protocols, including HTTP. Web applications typically split headers based on where the CRLF character sequence is found. Therefore, if a malicious user is able to inject their own CRLF sequence into an HTTP stream, they gain control over the contents of the HTTP response.

Since CRLF characters can be used to split an HTTP response header, it is often also referred to as HTTP Response Splitting. The following example is a crafted request containing CRLF (the %0d%0a characters in the request below) that causes Cross-site Scripting.

http://www.yoursite.com/somepage.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

The victim will see the following in their browser.

<script>alert(1)</script>

Variations of this attack can be used to poison proxy or web caches in order to get the cache to serve the attacker’s content to other users.

Mitigating CRLF injection

Fortunately, CRLF attacks are usually mitigated by many web frameworks automatically, however, even if the vulnerability is not mitigated, it’s a very simple vulnerability to fix — simply strip out any input which contains the %0d%0a URL encoded characters.