What is a CRLF Injection?

A CRLF injection is a security vulnerability where an attacker injects Carriage Return (CR) and Line Feed (LF) characters into user-supplied input. These characters (\r\n), used as End of Line (EOL) markers in protocols like HTTP, can alter the intended structure of text streams such as HTTP headers if not properly handled. When a web application fails to validate or encode user input, attackers may exploit the flaw to perform unauthorized actions—most notably, manipulating HTTP responses or injecting malicious content.

CRLF stands for “Carriage Return Line Feed.” These control characters are fundamental for delineating lines in many communications protocols. In the context of web security, injecting a CRLF sequence can split HTTP responses, breaking expected application behavior and creating opportunities for further attacks, including HTTP Response Splitting, cross-site scripting (XSS), and session hijacking. The vulnerability is formally tracked in standards such as CWE-93: “Improper Neutralization of CRLF Sequences (‘CRLF Injection’).”

How Does a CRLF Injection Work?

CRLF injection arises when applications incorporate untrusted input directly into HTTP headers or similar sensitive locations without proper sanitization or encoding. By adding a CRLF sequence to the input, attackers may prematurely terminate a header or other control structure, inserting additional HTTP headers or crafting a new response body. This causes the application or server to process unintended instructions and can compromise both data integrity and user security.

Effective exploitation of this vulnerability can have wide-reaching consequences, as it enables modification of application responses and facilitates a range of downstream attacks.

Consequences of a CRLF Injection

Exploiting a CRLF injection vulnerability can enable:

• HTTP Response Splitting: Attackers inject responses that browsers interpret as legitimate, sometimes delivering malicious payloads to users or altering cached content.
• Cross-Site Scripting (XSS): Malicious scripts may be injected through manipulated responses, executing in a victim’s browser.
• Session Hijacking: Attackers may gain access to session cookies or tokens by injecting headers or scripts that intercept or expose sensitive data.
• Website Defacement: Unauthorized content or redirects can be introduced into HTTP responses, altering site appearance or behavior.
• Web Cache Poisoning: Malicious content can be cached by servers or proxies, exposing all users accessing the cached resource to attack.
• Log Injection: Malicious entries may be inserted into application logs, making incident response and auditing more difficult.

Examples of CRLF Injection Attacks

Example: Manipulating HTTP Headers

Suppose a web application uses user input to build a response header, such as a location redirect:

Location: /profile?user=[user input]

If input is not sanitized, an attacker submits:

attacker\r\nSet-Cookie: sessionid=malicious

The resulting HTTP response will contain an extra header:

Location: /profile?user=attacker
Set-Cookie: sessionid=malicious

This could allow the attacker to set a cookie in the victim’s browser, which may be leveraged for session hijacking.

Example: HTTP Response Splitting

If a vulnerable application reflects input in HTTP headers (such as a redirect or custom header), and an attacker submits:

badguy\r\n\r\n<script>alert('XSS')</script>

This input causes the server to split the response in two, with the injected script delivered in the response body. The browser processes the response and executes the script, resulting in an XSS attack.

How Can You Prevent CRLF Injection Vulnerabilities?

CRLF injection can be mitigated with well-established secure coding practices:

• Sanitize User Input: Never trust data received from users or external sources. Remove or encode CR (\r) and LF (\n) characters before using any input in HTTP headers or other protocol control fields. Reject or sanitize values containing these characters where such input is unnecessary.
• Use Frameworks and Libraries Securely: Rely on robust, well-maintained libraries or frameworks that automatically handle input validation and output encoding for headers and other sensitive locations.
• Validate Application Behavior: Ensure inputs match expected formats, lengths, and characters before processing them in application logic or constructing responses. Consider explicit whitelisting of acceptable characters.

By implementing these controls, organizations can effectively eliminate CRLF injection risks and reduce exposure to related vulnerabilities.

Frequently Asked Questions (FAQs) About CRLF Injection

Q: Is CRLF injection the same as HTTP Response Splitting?
A: HTTP Response Splitting is a well-known attack that results from CRLF injection vulnerabilities. CRLF injection provides the means for splitting or manipulating HTTP responses, but other consequences are possible depending on how the application processes input.

Q: How severe is a CRLF injection vulnerability?
A: Severity depends on application context and exploitation potential. If attackers can execute scripts (XSS) or hijack sessions, the impact is high. Other impacts, like log manipulation, may be moderate but still undermine security monitoring and incident response.

Q: How can I test my application for CRLF injection flaws?
A: Security testing tools like Dynamic Application Security Testing (DAST) solutions are effective for detecting CRLF injection, as they can automatically submit payloads designed to reveal injection issues in running applications. Manual testing—by submitting CR and LF characters and observing response behavior—can also uncover vulnerabilities, especially when reviewing application source and logic.