CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

Vulnerable example

java

String author = request.getParameter(AUTHOR_PARAM);

Resulting query

plaintext

HTTP/1.1 200 OK

Attack input

plaintext

Wiley Hacker\r\nHTTP/1.1 200 OK\r\n

Resulting query

plaintext

HTTP/1.1 200 OK

The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment variable value is retrieved from an external resource.

Vulnerable example

other

deploy:

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

Vulnerable example

java

logger.info("User's street address: " + request.getParameter("streetAddress"));

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-93?

What CVEs are caused by CWE-93?

Is CWE-93 part of the OWASP Top 10?

How do you prevent CWE-93?

How is CWE-93 detected?

What are the consequences of CWE-93?

Is CWE-93 actively exploited?

References

Stay ahead of CWE-93

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Can precede

Related

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-93?

What CVEs are caused by CWE-93?

Is CWE-93 part of the OWASP Top 10?

How do you prevent CWE-93?

How is CWE-93 detected?

What are the consequences of CWE-93?

Is CWE-93 actively exploited?

References

Stay ahead of CWE-93