CRLF injection/HTTP response splitting (Web Server)

Description

CRLF (Carriage Return Line Feed) injection is a web application vulnerability that occurs when user-supplied input is inserted into HTTP response headers without proper validation. HTTP headers follow a strict format where each header line is separated by CRLF characters (\r\n). When attackers inject these special characters into header values, they can manipulate the HTTP response structure, effectively splitting a single response into multiple responses or injecting arbitrary headers. This technique, also known as HTTP Response Splitting, enables attackers to perform advanced attacks including cache poisoning, cross-site scripting (XSS), session fixation, and web defacement.

Remediation

Implement the following security controls to prevent CRLF injection attacks:

1. Input Validation and Sanitization:
Remove or reject any user input containing CR (\r, 0x0D) and LF (\n, 0x0A) characters before using it in HTTP headers. Validate that input matches expected patterns.

2. Use Framework-Provided Header Functions:
Modern web frameworks provide safe methods for setting headers that automatically handle encoding. Always use these instead of manually constructing headers.

Example (Java):

// VULNERABLE - Direct concatenation
response.addHeader("Location", "page.jsp?lang=" + userInput);

// SECURE - Validate and sanitize input
String sanitized = userInput.replaceAll("[\\r\\n]", "");
response.addHeader("Location", "page.jsp?lang=" + sanitized);

// VULNERABLE - Direct header injection
header("Location: page.php?lang=" . $_GET['lang']);

// SECURE - Remove CRLF characters
$sanitized = str_replace(array("\r", "\n"), '', $_GET['lang']);
header("Location: page.php?lang=" . $sanitized);

# VULNERABLE - Direct use of user input
response.headers['X-Custom'] = request.args.get('value')

# SECURE - Sanitize input
import re
value = re.sub(r'[\r\n]', '', request.args.get('value', ''))
response.headers['X-Custom'] = value

References

Related Vulnerabilities