CRLF Injection in URL

Description

CRLF injection involves injecting Carriage Return (ASCII 13, \r) and Line Feed (ASCII 10, \n) characters into web requests or responses. These characters are used to denote new lines in HTTP messages, and their injection can lead to various attacks, including HTTP response splitting. Attackers exploit CRLF injection vulnerabilities to manipulate HTTP responses, insert arbitrary headers, or modify response bodies.

Recommendation

To mitigate CRLF injection vulnerabilities, ensure that web server configurations and web application logic properly encode CRLF characters before including them in responses. Implement input validation and output encoding mechanisms to filter out or encode user-supplied data to prevent injection attacks.

References

• CWE-113
• CWE-20
• CWE-93
• OWASP 2021-A3
• OWASP: CRLF Injection
• OWASP: HTTP Response Splitting