Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Carriage Return - Line Feed (CRLF) or response splitting is a vulnerability where a newline can be added to an HTTP response in order to modify it. For instance, it can be used to change incoming headers, force save a response and much more. It's always felt like a mystery to me and how it works. So, I just read through some reports.

The one linked is fairly simple: add in a %0d%0aKey:Value. The %0d%0a allows the adding of an arbitrary header. This report also has more linked reports that are interesting that are related to Twitter.

This one is interesting because the CRLF injection did not work with CRLF. Instead, they had to do some funky unicode encoding with %E5%98%8A. If I had to guess, this was a server-level protection and had nothing to do with the software that Twitter built.

Another pattern I noticed was this occurring with redirects. With these, a redirect from http to https sets the path of the URL to be the content of the path. Since this wasn't escaping the newlines, this led to a serious CRLF injection within the redirect.

I tend to blame the server implementation for this. Anything being added into an HTTP response that contains a newline should simply be escaped - there's no reason this shouldn't be the standard. According DayZeroSec, this is also a common Nginx misconfiguration with some variables being used in locations that are unintended.

Super weird bug class but CRAZY impact when discovered. Redirects and different encodings seem to do the trick in many cases.