Alpha Video Training
Results 1 to 9 of 9

Thread: CRLF injection

  1. #1
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,064

    Default CRLF injection

    Hi
    As part of an ongoing security penetration test performed on my server ( Alpha Anywhere Application Server classic ) i still have this issue pending (CRLF Injection)

    The Security Experts recommends to
    - Strip any newline characters before passing content into the HTTP header.
    - Encode the data that you pass into HTTP headers. This will effectively scramble the CR and LF
    codes if the attacker attempts to inject them.

    How can i do that?
    Last edited by WindForce; 11-03-2019 at 09:49 AM.

  2. #2
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,879

    Default Re: CRLF injection

    Your post was cut off it seems.
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  3. #3
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,064

    Default Re: CRLF injection

    Thanks Mike, didn't notice...i edited the post

  4. #4
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,064

    Default Re: CRLF injection

    ...i'm bumping this since it's stopping the development of a new project for me...

    Here are explanations on CRLF. I'd like to know if someone knows how to prevent this in Alpha Anywhere.


    https://dzone.com/articles/crlf-inje...itting-vulnera
    https://protect2.fireeye.com/v1/url?...g-explained%2F

  5. #5
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,695

    Default Re: CRLF injection

    As explained in both articles that you linked to, you prevent CRLF header injection by making sure that you only use "safe" values in headers and never directly trust user-supplied input.

    Have you written any custom Xbasic application code that is explicitly setting headers? Most application developers have not and if yo are in this group, this is a non-issue for you. If you are in fact writing custom code to set headers, you will need to make sure that the header values only have safe values in them. If the value is something you've coded directly, this is pretty simple - just don't use a CRLF. If the value is coming from user input, you must remove any potentially malicious characters before setting the header value.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  6. #6
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,064

    Default Re: CRLF injection

    That's the thing Lenny, i haven't written anything of the sort. I even changed my home page to a nearly blank html page and it still doesn't pass.
    Here is an excerpt of the PT report about this issue in my site.
    Code:
    Step-1) Visit https://www.solutions.co.il
    Step-2) Intecept the request using burp suite and send in to the repeater.
    Step-3) Add below payload to the end of the URL:
    
    %3f%0d%0aContent-Length:35%0d%0aX-XSS-
    Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0
    a/%2f%2e%2e
    
    Step-4)Forward the request. You will see the HTTP headers successfully get added in the response.

  7. #7
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,695

    Default Re: CRLF injection

    Quote Originally Posted by WindForce View Post
    That's the thing Lenny, i haven't written anything of the sort. I even changed my home page to a nearly blank html page and it still doesn't pass.
    Here is an excerpt of the PT report about this issue in my site.
    Code:
    Step-1) Visit https://www.solutions.co.il
    Step-2) Intecept the request using burp suite and send in to the repeater.
    Step-3) Add below payload to the end of the URL:
    
    %3f%0d%0aContent-Length:35%0d%0aX-XSS-
    Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0
    a/%2f%2e%2e
    
    Step-4)Forward the request. You will see the HTTP headers successfully get added in the response.
    I cannot duplicate this. If you can, please enable raw HTTP logging in order to capture the full request and response, then send that log to bugs@alphasoftware.com.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  8. #8
    "Certified" Alphaholic mikeallenbrown's Avatar
    Real Name
    Mike Brown
    Join Date
    Nov 2009
    Location
    United States
    Posts
    1,879

    Default Re: CRLF injection

    Looks like Alpha has this fixed. Check today's prerelease notes.

    https://aadocuments.s3.amazonaws.com...easeNotes.Html
    Mike Brown - Contact Me
    Programmatic Technologies, LLC
    Programmatic-Technologies.com
    Independent Developer & Consultant

  9. #9
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,064

    Default Re: CRLF injection

    <g>Mike are you fast or what...i've been refreshing the pre-release for hours was still stuck at the Nov.8 version :-)

    Anyway, i had the cybersecurity company perform the penetration tests while i setup raw http logging. Sent the logs to Lenny, who checked right away and confirmed the vulnerability . A few hours later he sent a mail stating the issue was fixed and it would be in the next pre-release.
    I can't think of any other dev. tool with such a fast response from the developers themselves.

Similar Threads

  1. Recent SQL Injection attacks
    By Steve Wood in forum Mobile & Browser Applications
    Replies: 5
    Last Post: 11-15-2017, 11:36 PM
  2. 500 Server Error - Possible Injection Attack ???
    By mikeallenbrown in forum Mobile & Browser Applications
    Replies: 5
    Last Post: 09-16-2017, 11:23 PM
  3. How can we protect Quick Search from SQL Injection?
    By Fulltimer in forum Application Server Version 11 - Web/Browser Applications
    Replies: 0
    Last Post: 07-16-2013, 07:16 PM
  4. My Concern for SQL Injection
    By Fulltimer in forum Application Server Version 11 - Web/Browser Applications
    Replies: 6
    Last Post: 08-19-2012, 02:43 PM
  5. SQL injection attack and sql_lookup()
    By Garry Flanigan in forum Application Server Version 11 - Web/Browser Applications
    Replies: 2
    Last Post: 03-05-2012, 10:37 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •