Time
1 hour 41 minutes
Difficulty
Beginner
CEU/CPE
2

Video Description

A CRLF injection refers to the special character elements "Carriage Return" and "Line Feed" and is a vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. In this AppSec Tutorial, the developer will see how a CRLF injection is exploited and will learn the steps to remediate this vulnerability.

Video Transcription

00:07
AP SEC Tutorials CR left injection about this course.
00:13
See our love injection is a form of applications security, vulnerability in the family of injection flaws. The presence of Sierra left injection in applications code can potentially allow malicious users to transform data streams in a variety of harmful ways.
00:28
In this course, you'll see an example of how this weakness could be exploited and then how it can be fixed.
00:34
At the end of this course, you will understand the risks associated with your left injection and be able to defend against instances of this flaw.
00:42
To get the most out of this course. If you haven't already done so, we recommend that you take our introduction to Web applications Security Course first,
00:51
The following video shows how an attacker might discover and exploit the sea or left injection attack.
00:57
Hello, my name is Kevin Richard, and I'm a security researcher with VERACODE. Today, I'd like to provide a brief demonstration of the application security weakness known a CR left injection. To do so, I'm going to use an application called Vera and secure a Web app we're building to demonstrate a number of real security vulnerabilities.
01:15
Let's get started,
01:19
you may be wondering in the name CR left injection. What does the C R. Left mean these letters stand for to Unicode control characters, respectively called Carriage Return and Line Feed control characters are units of information that do not represent a written symbol but instead alter a data stream in other ways.
01:38
CR left
01:40
or a carriage return followed by a line feed is how many platforms represent line breaks in text.
01:47
So within a stream of data, a CR left is just like pressing. Enter or return on your keyboard. Now ask yourself what could happen during data processing if in applications, users discovered they had the ability to submit CR lefts in unexpected places,
02:02
let's see a quick example.
02:06
Have a look at the page on my screen.
02:08
We have a simple log in page that behaves like any other. Given a correct user name and password, the application will authenticate the user and direct them to another page. But whether or not the credentials are valid, each press of this button makes the application log a record of the attempted access.
02:24
Investigators use lungs like these in the event of a breach to discover which resource is were accessed and which systems were affected,
02:32
but also what parties were involved. An attacker who tried to infiltrate this site would presume that such a log was kept and expecting the breach to be detected in time they grasped at this log would contain evidence of their wrongdoing.
02:46
So in order to step of, their plan becomes misdirecting the forthcoming investigation toward some other suspect through populating the log file with false information.
02:57
We already know that the individual lines of this file are separated by sea our laps.
03:01
So if the user can inject CR lefts into the data being written, bacon force parts of the data onto new lines, and if they conform at it correctly, they can make it look like it was written by the application itself.
03:14
So why not write data to the logs that implicates an innocent party in your hack?
03:20
Let's plan out our incident. The attacker has to know what a valid log entry actually looks like, as well as a failed one.
03:28
Fortunately, in a poorly made up like Vera and secure, it's very possible to obtain this information through underhanded means.
03:36
Want Europe SEC tutorial on directory reversal. If you'd like to see one way to do this,
03:42
the attacker starts with read only access to a sample log file. We extract from this a success and a failure in order to inspect their contents.
03:52
Admin and scapegoat are present because to users have typed those names, any user name will appear the end of a line like this, followed by a CR left to separate it from the next line.
04:03
But since the application doesn't remove extra CR lefts when the user submits them, we can manipulate this oversight to make it appear that the user named Scapegoat has logged in right before. Our own attempt has failed. Here's how we do that.
04:18
Let's start with the bath log in. As we've observed, these three lines are long. Each time a felt Logan occurs with only one deviation, the name of the user that tried to log in. Since we can type anything we want inside the form field, we control the data within this bounded space.
04:38
First we added the name scapegoat the user who we wish to frame. Next we have the line that reports a successful Logan for a scapegoat
04:47
below. There are still two lines that reflect to fail of log in. For these two make sense in context. We must add back the text from the first line with the user name set to a different account. Now it looks as though these to log in attempts happen sequentially. Next, we need to replace the line breaks with Sierra Left
05:06
CR left encoding. And my editor may not be the same as the one that the application expects,
05:13
so this is necessary for the line breaks to appear. Finally, while you are all in code the entire string because the request specifies a content type that requires this encoding for post data,
05:26
we now have our payload, the data that will submit to the server. Let's submit this entire string in the user name field and see what happens.
05:46
At first, nothing different seems to have happened, which is as we'd expect, however, let's show you what the log file now looks like because we copied the formatting long file. Exactly.
05:59
It now appears that the user scapegoat logged into the application at the time of our breach and effect made possible by sea are left injection vulnerability.
06:09
If it later came to light that Attackers had interfered with log and added even one fake entry to it. The entire integrity of that log would be compromised because there would be no way to guarantee that any given entry was legitimate. Nor could one distinguish good entries from bad with 100% certainty.
06:27
The effects of CR Elif injection are not simply limited to log injection. CR left injection, like most injections, is a means to an end. And any time an attacker is able to insert line delineate ER's into a data stream, it's important to understand the risk it could create within that context.
06:45
For example, if you're watching this video, it's possible that you've encountered a different kind of Sierra left related flaw, such as http response splitting.
06:55
In that scenario, an attacker could set arbitrary headers, take control of a response body or break a response into two or more separate responses. All because http separates headers, sections and requests using CR lefts. Though the target is not the same. The root cause of that vulnerability is the same.
07:14
The failure to neutralize Sierra lefts within client data
07:19
in summary, if an attacker is allowed to insert unwanted CR lefts into a data stream, it may be possible to misuse this ability in a variety of ways.
07:30
To learn more about different kinds of payloads and attacks is, well, a steps for remediation. Police continue to watch our training videos or participate in our training courses. This is Kevin Richard from Veracode. Thank you very much for watching
07:47
If a valid Sierra left injection flaw has been detected in your application, the next step is to update your code in order to remediate it. Click on any tab to see how to secure your code from the threat of Sierra Life injection.
08:00
Hello again.
08:01
This is Kevin Richard, security researcher with very code, and you've been watching our app sectorial on sea are left injection. In our last video, we showed the sort of circumstances in which an attacker might discover and misuse this vulnerability. Now that you've gained a basic understanding of this issue, let's demonstrate how to fix it. Fortunately, this will be a quick one.
08:22
First, let's bring up the code from our previous example.
08:24
When the user types third log in name and clicks authenticate the application makes a record of the Logan attempt as well as its outcome.
08:33
Here is the beginning of the code that makes a record of log in attempts.
08:37
It does this to recall toe log dot info.
08:39
We'll focus our attention solely on this line because this is the location where the attacker has the opportunity to submit data.
08:46
If you're watching this video because of Eric Otis, like CR left injection flaws in a scan of your application, chances are each flaw points to a call to a logging method within your code. In our example, the input had originated directly from the Web browser, but that's not what made this operation vulnerable
09:03
here. The important part is that the application wasn't equipped to handle the possibility of CR left sequences within this input stream.
09:11
So for this reason, we demonstrated how to effectively at new lines to the underlying log file through the use of CR less in order to address CR left injection and logs. All that we must do is prevent the two characters that make up a CR left sequence from being saved. Within this stream, although there are a few alternatives
09:31
are recommended approach is to encode any input from users that is written to the log
09:35
in Java applications. It's easy to do so using the logging interface of the sappy library Bio OSP SA Peas Logging interface is a simple obstruction designed to be easy to drop into existing projects. With logging already set up, implementations exist for both long for J
09:54
and the Native Java Longing package.
09:56
As the sappy logger Rights Log data. It also encode CR left characters in order to prevent log injection attacks to use it. Let's just take the loggers we've already defined in each class and have them referenced the A sappy class instead. And that's it. We can continue to use the code we've already written
10:16
optionally
10:16
to protect data for display in browser based on viewers. You can also set the SA P logar to HTML encode the entire line. In this case, is it necessary to do so? Way aren't feeling logs in the browser and we wouldn't wish to accidentally leave belong in unreadable state. So without a clear reason to do otherwise,
10:35
we'll leave this setting off.
10:37
However, if longs they're used in a Web component later, it would then be a good idea to turn this setting on decisions about risk levels and security controls are a frequent theme in the world of information security.
10:50
We based this example on long final injection, but see our left injection can also appear in forms such as http Response. Splitting this flaw rarely appears in a readily exploitable form, but if the fix is required, the same strategy could be used. Encoding. Sierra left characters before processing them.
11:09
Soppy also provides a suite of encoding methods that can handle this.
11:13
Remember, the encoding transforms dangerous characters within a stream of data into representations that cannot be executed as control characters. And so encoding CR lefts and user input will effectively defeat http Response. Leading attacks. It is always a safe and good practice to verify and validate this in point of the server side,
11:31
even after client side validation.
11:35
As a final note, the flaw in our example represents just one possible instance of CR life injection. If of Erica's skin has reported this flaw in your application, as is the case with any tool, it's possible that the details of these issues will differ from the exploit that you've just seen. If it can be shown that CR left sequences cannot in practice
11:56
at new lines to a data stream in your application,
11:58
then the flaw may be a candidate for mitigation by design. If you would like more information, please schedule the consultation call with our security consulting team or contact veracode support. This has been Kevin Richard from Veracode. Thank you very much for your time.
12:16
Hello again. This is Kevin Richard, security researcher with very code, and you've been watching our at SEC tutorial on C R left injection. In our last video, we showed the sort of circumstances in which an attacker might discover and misuse this vulnerability.
12:30
Now that you've gained a basic understanding of this issue, let's demonstrate how to fix it. Fortunately, this will be a quick one.
12:37
First, let's bring up the code from our previous example. Dot net version of Very Insecure utilizes the log for Net library for locking.
12:46
When the user types their log in name and clicks authenticate Log for Net makes a record of the logging attempt and its outcome. Here is the beginning of the code that does so. It does this through a call to log dot info. We'll focus our attention on this line alone because this is the location where an attacker has the chance to submit data.
13:05
If you're watching this video because VERACODE has flagged CR left injection flaws in a scan of your application, chances are each flaw points to a call to a logging method within your code.
13:16
In our example, the input had originated directly from the Web browser, but that's not what made this operation vulnerable here. The important part is that the application wasn't equipped to handle the possibility of CR left sequences within this input street. So for this reason,
13:31
way demonstrated how to effectively add new lines to the underlying log file through the use of Sierra laughs
13:37
in order to address Sierra left injection for logs. All that we have to do is to prevent the to see our left New line characters from being saved within this stream. When using lug fernet new lines air represented by a you Earl encoded cr lef,
13:54
this is the only encoding that log for Net will recognize is a new line,
13:58
so it follows that HTML encoding. CR lefts would neutralize their effect. Different approaches air also possible such a string. Replacing the Sierra left characters with blank space. But this may not work in all circumstances, as it does end up changing characters inside the log and would overwrite any legitimate ones used, for example in multi line logs.
14:18
So the best course of action is to prepare CR laughs within encoding. The your application does not consider to mean a new line within the given context here and in many other cases, that would be HTML uncoated. However, we should note that no single solution is assured toe work for all circumstances,
14:37
so it's vital to ensure that you've considered the choice and method.
14:39
We've based this example on injection into log files. But see our left injection can also appear in forms such as HDTV response. Splitting This law rarely appears in a readily explainable form, but if it fixes required, a different strategy can be used.
14:58
Setting the enable header checking property too true,
15:01
a benefit of DOT nets header checking is that it will prevent had her injection attacks. This strategy does not require code changes, but in situations where it is not possible, you can still fall back on encoding the characters
15:16
as a final note. The flaw in our example represents just one possible instance of CR life injection. If of Erica's skin has reported this flaw in your application, as is the case with any tool, it's possible that the details of these issues will differ from the exploit that you've just seen.
15:31
If it can be shown that CR left sequences cannot in practice at new lines to a data stream in your application, then the flaw may be a candidate for mitigation by design.
15:41
If you would like more information, please schedule the consultation call with our security consulting team or contact veracode support. This has been Kevin Richard from Veracode. Thank you very much for your time.
15:56
The scope of this course was not intended to cover every possible circumstance in which she are left. Injection could arise. Rather, it was designed to convey the basic idea of this flaw. Further information is available through the following links.
16:11
Thank you for viewing mishap SEC tutorial on C R life injection

Up Next

Secure Development, Programming, and Coding with Veracode

Learn about important secure coding methodologies including CRLF Injection, Directory Traversal, Information Leakage, Open Redirects, OS Command Injection, SQL Injection and Cross-site Scripting

Instructed By

Instructor Profile Image
veracode
Instructor