BEST DEAL

Sunday 11 December 2016

CRLF attack

hi all,
please read below artical based on CRLF attck
Once upon a time, Twitter setup a page for ads haters to report ads violations. In the page, there are a couple of inputs being reflected in Set-Cookie. After a bit of fiddling, I discovered that non-printable control characters were not encoded which they should be. However, this issue alone did not lead to big problems because two critical control characters (CR and LF) were sanitized. More precisely, LF was replaced with a space and CR would result in HTTP 400 (Bad Request Error). Now what?
Mama always told me to learn from the past experience.
After a moment, I recalled there was an encoding bug in Firefox which involved some spec mis-behaviors. Basically,RFC 7230 states that most HTTP header field values use only a subset of the US-ASCII charset. Firefox followed the spec by stripping off any out-of-range characters when setting cookies instead of encoding them. The problem is obvious: blacklist based filter will fail because the input is safe until it is mutated.
At this point you might think we may be able to use that to bypass the detection by submitting a Unicode character which takes CR/LF as the last byte. This is actually not quite accurate. For example, a character like "嘊" (U+560A, %56%0a) still contains the LF character and hence can still be spotted.

Plot Twist

But don't forget we use UTF-8 to encode URL. That means we can use %E5%98%8A to represent U+560A. Surprisingly, Twitter decodes the input but does not encodes it in the output. So the flow is:
  1. We send a payload to the server with crafted Unicode characters which take CR/LF as the last byte and encode it in UTF-8
  2. Server receives the request but does not detect any malicious character
  3. Server decodes the input and removes out-of-range characters
  4. The output then contains clean CR/LF characters
Characters Mutation
Now that we can manipulate headers and contents by injecting CR/LF characters. For your information, here is a payload that sets a cookie: %E5%98%8A%E5%98%8DSet-Cookie:%20test
please comment if you have any question.thanks for reading.please follow me for more post
Thanks
Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)