Technology Encyclopedia Home >How to fix CRLF injection vulnerability?

How to fix CRLF injection vulnerability?

Created on 2025-09-03 18:16:15
130

To fix a CRLF (Carriage Return Line Feed) injection vulnerability, you need to properly sanitize and validate user input to prevent attackers from injecting malicious CRLF sequences into HTTP headers, responses, or logs. CRLF injection can lead to HTTP response splitting, cache poisoning, or log forgery.

How to Fix It:

  1. Input Validation & Sanitization

    • Reject or encode any input containing \r (CR) or \n (LF) characters if they are not explicitly needed.
    • Use strict allowlists for input formats (e.g., only alphanumeric characters).

  2. Output Encoding

    • When displaying user input in HTTP headers or responses, encode or escape \r and \n to prevent them from being interpreted as control characters.

  3. Avoid Direct User Input in Headers

    • Never use raw user input in HTTP headers (e.g., Location, Set-Cookie, Content-Disposition). If necessary, sanitize and encode it properly.

  4. Use Secure Frameworks & Libraries

    • Modern web frameworks (e.g., Express.js, Django, Spring) often handle header and response encoding securely by default.

  5. HTTP Header Hardening

    • Ensure HTTP headers are generated in a controlled manner without direct user influence.

Example of CRLF Injection (Vulnerable Code):

# Vulnerable: User input directly inserted into a header  
user_input = request.GET.get('redirect')  
response = HttpResponse()  
response['Location'] = user_input  # If user_input contains "\r\n", it can split the response

Fixed Example (Sanitized Input):

import re  

user_input = request.GET.get('redirect')  
# Remove \r and \n characters  
sanitized_input = re.sub(r'[\r\n]', '', user_input)  
if sanitized_input:  
    response = HttpResponse()  
    response['Location'] = sanitized_input  # Safe to use  
else:  
    response = HttpResponse("Invalid redirect URL")

Using Tencent Cloud Services for Enhanced Security:

  • Tencent Cloud Web Application Firewall (WAF) – Automatically detects and blocks CRLF injection attempts.
  • Tencent Cloud API Gateway – Helps sanitize and validate API inputs to prevent injection attacks.
  • Tencent Cloud Security Center – Provides vulnerability scanning to identify CRLF risks in your applications.

By following these practices and leveraging secure cloud services, you can effectively mitigate CRLF injection vulnerabilities.