CRLF Injection AttackWhat is CRLF injection? This combination of CR and LR is used for example when pressing "Enter" on the keyboard. Depending on the application being used, pressing "Enter" generally instructs the application to start a new line, or to send a command. A CRLF Injection attack occurs when a hacker manages to inject CRLF Commands into the system. This kind of attack is not a technological security hole in the Operating System or server software, but rather it depends on the way that a website is developed. Some developers are unaware of this kind of attack and leave open doors when developing web applications, allowing hackers to inject CRLF Commands. What an attacker can do if your site is vulnerable In some types of websites, this flaw may be lethal to the application's security. In other cases, this may just be a small bug with minimal priority. It all depends on whether this flaw allows the user to manipulate the web application. Example 1 of a CRLF Injection attack Here is a sample basic log file:
This log file is perfectly normal, however if a user had to input something like: I also agree with you..\n25/07/2005-15:00:00 AnotherSurfer What are you talking about!? The log file would then look like this:
In this case, since the input is not being properly filtered from the CR and LF characters, the user created a fake entry in the log file. Example 2 of a CRLF Injection Attack For example E-mail, News (NNTP) and HTTP headers are all based on the structure of "Key: Value" and each line is defined with a CRLF combination at the end. The "Location:" header is used in HTTP to redirect to another URL and a "Set-Cookie:" header is used for cookies. If these inputs are not properly validated, CR and LF characters can be embedded in the user input, and web scripts can be fooled to do other things than what they were originally constructed for. If the input is not checked for CR and LF and the script constructs a redirect with the string: Location: $url%0d%0a We can redirect to a site while setting a cookie by setting $url (as one string) to: http://www.i-was-redirected.com/%0d%0aSet-Cookie: Authenticated=yes%0d%0aReferer: www.somesite.com If an attacker can save the URLs that another user will be redirected to, including cookies with important data, this can be serious. How to check for CRLF vulnerabilities The Acunetix Web Vulnerability Scanner scans for SQL injection, Cross site scripting, Google hacking and many more vulnerabilities. For more information & a trial download click here. Preventing CRLF attacks Check if your website is vulnerable to attack Scanning for XSS vulnerabilities with Acunetix WVS Free Edition! Články o bezpečnosti Keeping Web Hacking at bay with Acunetix - How to avoid a Hacker Attack on your websiteCross Site Scripting - XSS - The Underestimated Exploit Microsoft UK Events Website Hacked The JavaScript Engine of Acunetix WVS PCI Compliance (Payment Card Industry Data Security Standard) Web Applications: What are they? What of them? The True Nature of Web Application Security: The Role and Function of Black Box Scanners Web hacking: An underestimated threat Ajax security: Are AJAX applications vulnerable to hack attacks? PHP / SQL Security - Part 6 Dokumenty White Paper Hledání správného skeneru webových aplikací; proč black-box nestačíThe Payment Card Industry Compliance - Securing both Merchant and Customer data. Web Services - The Technology and its Security Concerns Are AJAX Applications Vulnerable to Hack Attacks? The importance of Securing AJAX Web Applications Auditing Your Web Site Security with Acunetix Web Vulnerability Scanner The Importance of Web Application Scanning SQL & PHP Security by Andrew J. Bennieston |
|