CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

 
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Weakness ID: 93 (Weakness Base)Status: Draft
+ Description

Description Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Modify application data

+ Likelihood of Exploit

Medium to High

+ Demonstrative Examples

Example 1

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

(Bad Code)
Example Language: Java 
logger.info("User's street address: " + request.getParameter("streetAddress"));
+ Observed Examples
ReferenceDescription
CRLF injection enables spam proxy (add mail headers) using email address or name.
CRLF injection in API function arguments modify headers for outgoing requests.
Spoofed entries in web server log file via carriage returns
Chain: inject fake log entries with fake timestamps using CRLF injection
Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
Chain: HTTP response splitting via CRLF in parameter related to URL.
+ Potential Mitigations

Phase: Implementation

Avoid using CRLF as a special sequence.

Phase: Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base117Improper Output Neutralization for Logs
Research Concepts1000
ParentOfWeakness BaseWeakness Base113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Research Concepts (primary)1000
CanAlsoBeWeakness VariantWeakness Variant144Improper Neutralization of Line Delimiters
Research Concepts1000
CanAlsoBeWeakness VariantWeakness Variant145Improper Neutralization of Section Delimiters
Research Concepts1000
+ Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERCRLF Injection
OWASP Top Ten 2007A2Injection Flaws
WASC24HTTP Request Splitting
+ References
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <http://marc.info/?l=bugtraq&m=102088154213630&w=2>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
added/updated demonstrative examples
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10MITREInternal
updated References
2009-05-27MITREInternal
updated Name
2009-10-29MITREInternal
updated Other_Notes
2009-12-28MITREInternal
updated Likelihood_of_Exploit
2010-02-16MITREInternal
updated Related_Attack_Patterns, Taxonomy_Mappings
2010-04-05MITREInternal
updated Related_Attack_Patterns
2010-06-21MITREInternal
updated Description, Name
2011-03-29MITREInternal
updated Description
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11CRLF Injection
2009-05-27Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
2010-06-21Failure to Sanitize CRLF Sequences ('CRLF Injection')
Page Last Updated: June 23, 2014