Alert on CRLF Injection
A Carriage Return Line Feed (CRLF) Injection is a type of web security vulnerability where an attacker manipulates how web applications interpret input containing carriage return (\r) and line feed (\n) characters.
The CRLF injection attack exploits situations where a server does not properly sanitize or encode user-provided input, allowing an attacker to insert their own new lines (via \r\n) within the headers of an HTTP response. This attack can lead to various malicious outcomes, such as HTTP response splitting, header injection, and cross-site scripting (XSS).
In the example scenario attached below, we inspect multiple object types such as Office, ODF, HTML, PDF and Text for existence of URLs matching the following regular expression (see iregex()):
iregex("(%0D|%E5%98%8D)(%0A|%E5%98%8A)")
It checks for existence of CRLF, including UTF-8 encoded variants. When such a URL is detected, the scenario will trigger an ALERT action.
Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)
{
"name": "CRLF Injection",
"min_ver": 1,
"max_ver": null,
"creator": "Contextal",
"description": "Alert on possible CRLF Injection attack.",
"local_query": "(\n (object_type == \"Office\" || object_type == \"ODF\") && \n @match_object_meta($hyperlinks iregex(\"(%0D|%E5%98%8D)(%0A|%E5%98%8A)\"))\n) || (\n object_type == \"HTML\" && \n @match_object_meta($href iregex(\"(%0D|%E5%98%8D)(%0A|%E5%98%8A)\"))\n) || (\n (object_type == \"PDF\" || object_type == \"Text\") && \n @match_object_meta($uris iregex(\"(%0D|%E5%98%8D)(%0A|%E5%98%8A)\")) \n)",
"context": null,
"action": "ALERT"
}