CRLF Injection — xxx$ — How was it possible for me to earn a bounty with the Cloudflare WAF?

I recently discovered a CRLF injection vulnerability on a popular website. In this blog post, I will describe the vulnerability and the attack scenarios that I was able to demonstrate. I will also discuss the potential impacts of CRLF injection vulnerabilities.

What is CRLF?

CRLF (Carriage Return and Line Feed) is a sequence of two special characters that’s used to represent the end of a line of text in many computing contexts. In the context of cybersecurity, CRLF attacks can be used by attackers to inject malicious content into websites. To protect against these attacks, web developers need to properly handle CRLF sequences and sanitize user-generated content.

CRLF Injection attack has two most important use cases:

• Log Splitting: The attacker inserts an end of line character and an extra line to falsify the log file entries in order to deceive the system administrators by hiding other attacks.
• HTTP Response Splitting: CRLF injection is used to add HTTP headers to the HTTP response and, for example, perform an XSS attack that leads to information disclosure.

The Report