logo

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Draft Base
Structure: Simple
Description

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Common Consequences 1
Scope: Integrity

Impact: Modify Application Data
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 2
Phase: Implementation
Avoid using CRLF as a special sequence.
Phase: Implementation
Appropriately filter or quote CRLF sequences in user-controlled input.
Demonstrative Examples 2

ID : DX-224

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

Code Example:

Bad
Java
java
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

Code Example:

Result
bash
However, because the value of the cookie is composed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as

Code Example:

Attack
bash
then the HTTP response would be split into two responses of the following form:

Code Example:

Result
bash
The second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability to construct arbitrary HTTP responses permits a variety of resulting attacks, including:
- cross-user defacement - web and browser cache poisoning - cross-site scripting - page hijacking
If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

Code Example:

Bad
Java
java
Observed Examples 6
CVE-2002-1771CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513Spoofed entries in web server log file via carriage returns
CVE-2006-4624Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687Chain: HTTP response splitting via CRLF in parameter related to URL.
References 3
CRLF Injection
Ulf Harnhammar
Bugtraq
07-05-2002
http://marc.info/?l=bugtraq&m=102088154213630&w=2
ID: REF-928
CRLF Injection
Imperva
https://www.imperva.com/learn/application-security/crlf-injection//(2025-02-21)
ID: REF-1456
CRLF injection
R00tendo
25-02-2024
https://medium.com/@R00tendo/crlf-injection-ae26521c5e4c(2025-02-21)
ID: REF-1457
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
CanPrecede: Improper Output Neutralization for Logs (CWE-117)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
  • WASC
  • Software Fault Patterns