CRLF Injection
Description
CRLF occurs when an attacker can abuse the carriage return character (\r) and a newline character () in an HTTP request in order to inject new headers or a new body for the HTTP request. This attack is a very dangerous attack as it can give the attacker the ability to create whatever request he wants.
Remediation
The only way to prevent CRLF attacks is to carefully sanitize every message that is sent by the client.
GraphQL Specific
Apollo
To prevent CRLF (Carriage Return Line Feed) injection attacks in the Apollo framework, ensure that user input is properly sanitized before being used in HTTP headers or any other outputs. Implement strict input validation to reject any input containing CRLF characters. Additionally, use built-in security features of the framework and libraries for setting HTTP headers to automatically encode potentially dangerous characters. Regularly update the Apollo framework and its dependencies to incorporate security patches that may address CRLF vulnerabilities.
Yoga
To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in the Yoga framework engine, ensure that user input is properly sanitized before being used in output functions. Implement strict input validation to reject any input containing CRLF characters or sequences. Additionally, use context-aware encoding functions to encode output according to the specific context in which it is rendered (e.g., HTML, URL, JavaScript). It is also advisable to set appropriate HTTP headers such as 'Content-Type' and 'Content-Disposition' to prevent content sniffing that could lead to CRLF injection attacks.
Awsappsync
To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is properly sanitized before being processed. Implement input validation to reject any input containing CRLF characters or sequences. Additionally, use built-in AWS AppSync security features to encode and handle data safely. Regularly update and review security policies to prevent injection attacks.
Graphqlgo
To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in a GraphQL Go framework engine, ensure that user input is properly sanitized before being processed. Implement strict input validation to reject any input containing CRLF characters or sequences. Additionally, use context-aware escaping functions when handling user input to prevent the injection of arbitrary CRLF sequences into headers or other sensitive parts of the HTTP response. Regularly review and update your security practices to address new and emerging threats.
Graphqlruby
To prevent CRLF (Carriage Return Line Feed) injection attacks in the GraphQL Ruby framework, ensure that user-supplied input is properly sanitized before being used in HTTP headers or any other outputs. Utilize built-in Ruby methods to encode or escape special characters, and consider implementing a robust input validation library to enforce strict input patterns. Additionally, set response headers to treat the content as data, not as executable code, by using content type headers like 'Content-Type: text/plain' for plain text responses.
Hasura
To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in the Hasura framework, ensure that user input is properly sanitized before being used in any context. Implement strict input validation to reject any suspicious or malformed input. Additionally, configure Hasura's built-in security features to encode or escape CRLF sequences in both URLs and headers to prevent response splitting attacks. Regularly review and update your security practices to address new threats.
REST Specific
Asp_net
To prevent CRLF injection attacks in ASP.NET, encode user input before including it in HTTP headers or responses. Utilize the HttpUtility.HtmlEncode
method for HTML output and UrlEncode
for URL components. Additionally, set the validateRequest
attribute to true
in the web.config file to enable built-in request validation, and consider implementing a custom header validation routine to check for CRLF sequences.
Ruby_on_rails
In Ruby on Rails, to prevent CRLF injection, ensure that user input is properly validated and encoded. Use built-in Rails methods such as json_escape
to encode output and strip
to remove unwanted carriage return and newline characters from user input. Additionally, set response headers explicitly using Rails' response object methods and avoid directly injecting user-controlled data into headers or responses.
Next_js
To mitigate CRLF injection attacks in Next.js, ensure that user input is properly sanitized by encoding or escaping CRLF sequences before incorporating them into HTTP headers or responses. Utilize middleware or built-in functions to encode output, and rigorously validate and sanitize all user inputs to prevent the injection of malicious characters.
Laravel
In Laravel, to prevent CRLF injection attacks, ensure that user input is properly sanitized before including it in HTTP headers. Use Laravel's built-in validation features to filter and escape input data. Additionally, avoid directly setting headers with user-supplied data and employ middleware that can strip out any CRLF characters from incoming requests.
Express_js
To mitigate CRLF injection attacks in Express.js, ensure that user input is properly sanitized by escaping CRLF sequences. Use middleware such as helmet
to set secure HTTP headers and employ libraries like express-validator
to validate and sanitize input. Avoid directly injecting user content into headers or responses, and consistently encode output when dynamically generating web pages.
Django
In Django, ensure that user input is properly escaped by using Django's built-in template system which automatically handles escaping. Additionally, use Django's HttpResponse objects to construct responses and avoid manually concatenating headers or body content. Always validate and sanitize input to prevent injection of arbitrary CRLF sequences.
Symfony
In Symfony, to prevent CRLF injection attacks, ensure that any user input that is included in HTTP headers is properly sanitized. Use the 'Response' object to set headers instead of raw header functions, and employ the 'setHeader' method which automatically handles special characters. Additionally, validate and sanitize all user inputs to remove or encode carriage return ( ) and newline ( ) characters. Consider using Symfony's built-in functions and components, such as the 'HttpFoundation' component, to manage responses securely.
Spring_boot
In Spring Boot applications, to prevent CRLF injection attacks, ensure that user input is properly validated and encoded. Use built-in security features such as HttpFirewall to restrict the characters allowed in URLs. Additionally, set 'server.tomcat.relaxed-query-chars' and 'server.tomcat.relaxed-path-chars' properties in application.properties to explicitly define which characters are permitted. Always encode user-controlled data before including it in HTTP headers to prevent malicious input from manipulating the response.
Flask
In Flask, to prevent CRLF injection, ensure that user input is properly sanitized by escaping carriage return and newline characters. Use the werkzeug
utility functions such as escape()
to encode user input before incorporating it into HTTP headers or responses. Additionally, set response headers explicitly using Flask's Response
object and avoid directly concatenating user-controlled data into headers or status lines.
Nuxt
To prevent CRLF injection attacks in a Nuxt.js application, ensure that user input is properly sanitized before being included in HTTP headers or responses. Utilize libraries that encode or strip out CRLF characters from inputs, and always validate and escape user data based on the context in which it is used. Additionally, set up content security policies (CSP) to reduce the impact of any potential injection.
Fastapi
In FastAPI, to prevent CRLF injection attacks, ensure that user input is properly sanitized by escaping CRLF characters. Use built-in security features such as automatic data validation and avoid directly passing user input to response headers or status codes. Implement strict input validation using Pydantic models to define acceptable patterns and types.
Configuration
Identifier:
injection/crlf
Examples
Ignore this check
checks:
injection/crlf:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
OWASP: API10:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4
Classification
- CWE: 93
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1