A Carriage Return Line Feed (CRLF) Injection flaw happens when an app does not filter user input correctly and allows for the insertion of carriage returns and line feeds, input which for multiple internet protocols, including HTML, denote line breaks and have special significance.
For instance, HTTP message parsing depends on CRLF characters to recognize sections of HTTP messages, including headers, as described in RFCs and relied on by browsers. URL encoded, these characters are %0D%0A, which decoded represent \r\n. The effect of a CRLF Injection includes HTTP Request Smuggling and HTTP Response Splitting.
HTTP Request Smuggling happens when an HTTP request is transferred through a server which processes it and transfers it to another server, like a proxy or firewall. This kind of vulnerability can result in:
• Cache poisoning, a condition where an attacker can modify records in an application’s cache and serve malicious pages (e.g., including JavaScript) instead of a proper page.
• Firewall avoidance, where a request can be crafted using CRLFs to bypass security checks.
• Request Hijacking, a condition where an attacker can steal HttpOnly cookies and HTTP authentication data. This is similar to XSS but needs no interaction between the attacker and client.
