Comments (1)
Details
CRLF is an abbreviation for the terms "carriage return" and "line feed." These two special characters are a legacy of old-fashioned printing terminals used in the early days of computing. However, today both are still often used as delimiters between data. When this weakness exists, CR and LF characters (represented respectively in code as \r and \n) are permitted to be present in HTTP headers, usually due to poor planning for data handling during development.
CRLF sequences in HTTP headers are known as "response splitting" because these characters effectively split the response from the browser, causing the single line to be accepted as multiple lines by the server (for example, the single line First Line\r\nSecond Line would be accepted by the server as two lines of input).
While response splitting in itself is not an attack, and can be completely harmless unless exploited, its presence could lead to an injection attack (known as CRLF injection) and a variety of unpredictable and potentially dangerous behavior. This weakness can be exploited in a number of ways, such as page hijacking or cross-user defacement, in which an attacker displays false site content and/or captures confidential information such as credentials. It can even lead to cross-site scripting attacks, in which attackers can cause malicious code to execute in the user's browser.
For example, the following code is vulnerable:
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
Cookie cookie = new Cookie("name", request.getParameter("name"));
response.addCookie(cookie);
}
because the user may provide a name parameter with a value like XYZ\r\nHTTP/1.1 200 OK\nATTACKER CONTROLLED. In this case, they will produce a second HTTP response:
HTTP/1.1 200 OK
ATTACKER CONTROLLED
A possible fix is to remove all non-alphanumerical characters:
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String name = request.getParameter("name")
.replaceAll("[^a-zA-Z ]", "");
Cookie cookie = new Cookie("name", name);
response.addCookie(cookie);
}
In this case, the attacker would be unable to produce a second HTTP response.
Best practices for prevention
Assume all input is potentially malicious. Define acceptable responses wherever possible, and if not possible, encode CR and LF characters to prevent header splitting.
Replace both \r (carriage return) and \n (line feed) with "" (empty string)-many platforms handle these characters interchangeably so the weakness may still exist if one of the two is permitted. Follow best practices and strip all other special characters (", /, , ;, etc., as well as spaces) wherever possible. Be sure to sanitize special characters in both directions-from the browser to the server and also in data sent back to the browser. Ideally, adopt current development resources, such as languages and libraries, that block CR and LF injection in headers. Be vigilant with all input types that could potentially be tampered with or modified at the user end (intentionally or unintentionally), which could lead to
from i2p.i2p.
Related Issues (20)
- Many sites not accessible with 2.3.0 docker image HOT 1
- slow
- miss click
- feature request auto download host list from jump sites HOT 2
- stack guard error
- org.apache.ant:ant Denial of Service (DoS) HOT 1
- multiable Hardcoded Secrets cve HOT 2
- 2 uses of risky/ broken cryptograhic alogrithm CVE HOT 3
- multiable SSRF server side request forgery CVE HOT 1
- 4 open redirects CVE HOT 2
- Inadequate Encryption Strength CVE multiables HOT 2
- multiable Use of Password Hash With Insufficient Computational Effort :CVE
- can i have perms to allow pull requests etc HOT 1
- Use of Hardcoded, Security-relevant Constants HOT 1
- Observable Timing Discrepancy (Timing Attack) HOT 2
- Use of Hardcoded Credentials HOT 1
- Improper Neutralization of CRLF Sequences in HTTP Headers number 2
- fresh install with split-config breaks the addressbook HOT 3
- https://deb.i2p2.de not responding HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from i2p.i2p.