crlf injection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I just heard about crlf injection and was trying to understand how one
would prevent it in a web site.

Is this only applicable in input text boxes?


Re: crlf injection

Quoted text here. Click to load it

CR/LF injection is just a specific instance of shell metacharacter
injection.  The basic jist is to include comand terminators or shell
metacharacters in with a web app request with the intent of
terminating a shell command, perl command, or SQL or whatever a web
app might be doing with user input data in order for the command to
get terminated and allow an attacker to run a command of their

It is prevented by scrubbing any data that comes from a web
browser/client and restricting it only to those specifically allowed
elements, and making sure shell metacharcaters and command terminators
(such as ; CR or  LF) are filtered from user data before they are
included as arguments for search queries or commands run on the

Quoted text here. Click to load it

It's applicable in any field/variable where the web application
accepts input from a POST or GET request.  This includes HIDDEN fields
that might be part of multi-step form processing pages.  One typical
folly of a functionality-minded web app developer is to trust that
what comes from the browser can't be modified somehow.  Some try to
validate in javascript not knowing it can be circumvented.  Most web
app developers don't consider that nefarious users might go out of
their way and use web proxy applications to actively modify hidden
fields in form pages and modify values, or modify values after they've
been validated in javascript, etc.

Highly recommended reading from the OWASP project:

2.0.1 appeas to be the latest release of the Open Web Application
Security Project (OWASP) Guide.  The OWASP Org page is here:

Best Regards,
Todd H. /

Re: crlf injection


Re: crlf injection

Quoted text here. Click to load it

I don't know, what exactly you're meaning with "crlf injection", but of
course, all input of a web form has to be corrected before processed
further, if you're using languanges like i.e. PERL.

If class libraries are compared to animals, MFC is the slime-warts toad.

Site Timeline