Story of securing Mercedes FROM CRLF
As a bug bounty hunter, I’m always on the lookout for security vulnerabilities that I can report to companies and earn rewards. Recently, I discovered a CRLF injection vulnerability on Mercedes , and in this post, I’m going to share how I found it and the impact it had.
First, let me explain what CRLF injection is. CRLF stands for “Carriage Return Line Feed”, which are special characters used to represent the end of a line in various protocols, including HTTP. An attacker can inject CRLF characters into an HTTP header, which can lead to various attacks, such as HTTP response splitting, cross-site scripting, and cookie manipulation.
During my bug bounty testing, I used burp suite by intercepting the request and forwarding it to the repeater .
I was able to obtain a vulnerable output with the payload.
payload : GET /%0D%0ASet-Cookie:crlf=crlf HTTP/1.1
I noticed that the location header value was not properly sanitized, and I was able to inject CRLF characters into it using a simple payload like GET /%0D%0ASet-Cookie:crlf=crlf HTTP/1.1
This allowed me to manipulate the server’s response and inject arbitrary content into it, such as fake headers or even JavaScript code.
After finding this vulnerability i quickly reported it to Mercedes and got thank you mail .
reported on 11th Jan 2023
got triaged on : 15th jan 2023
thank you mail on : 25th jan 2023
To mitigate CRLF injection it’s important to properly sanitize user input before using it in HTTP headers. As a bug bounty hunter, it’s also important to keep an eye out for these types of vulnerabilities, as they can have a significant impact on the security of a web application and can make you earn bounties.
In conclusion, CRLF injection is a powerful technique that attackers can use to manipulate HTTP headers and perform various attacks. By understanding how it works and how to prevent it, we can help make the web a safer place for everyone.
Connect with me:
Instagram: https://www.instagram.com/devanshchauhan_
LinkedIn: https://www.linkedin.com/in/devansh-chauhan-b36b6a1b1/
Thank you
Devansh Chauhan
PS. This was my first writeup do support me.