From 683e7bb7395a9e247233052e39bc4f6180750610 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Wed, 16 Jul 2025 01:42:58 +0000
Subject: [PATCH] Add content from: Research Update: Enhanced
 src/pentesting-web/crlf-0d-0a.md

---
 src/pentesting-web/crlf-0d-0a.md | 55 ++++++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 7 deletions(-)

diff --git a/src/pentesting-web/crlf-0d-0a.md b/src/pentesting-web/crlf-0d-0a.md
index a0f59c0a4..4c896e899 100644
--- a/src/pentesting-web/crlf-0d-0a.md
+++ b/src/pentesting-web/crlf-0d-0a.md
@@ -201,20 +201,61 @@ To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Inj
 • Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test
 ```
 
+### Recent Vulnerabilities (2023 – 2025)
+
+The last few years have produced several high-impact CRLF/HTTP header-injection bugs in widely-used server- and client-side components. Reproducing and studying them locally is an excellent way of understanding real-world exploitation patterns.
+
+| Year | Component | CVE / Advisory | Root cause | PoC highlight |
+|------|-----------|---------------|------------|---------------|
+| 2024 | RestSharp (≥110.0.0 <110.2.0) | **CVE-2024-45302** | The `AddHeader()` helper did not sanitize CR/LF, allowing construction of multiple request headers when RestSharp is used as an HTTP client inside back-end services. Down-stream systems could be coerced into SSRF or request smuggling. | `client.AddHeader("X-Foo","bar%0d%0aHost:evil")` |
+| 2024 | Refit (≤ 7.2.101) | **CVE-2024-51501** | Header attributes on interface methods were copied verbatim into the request. By embedding `%0d%0a`, attackers could add arbitrary headers or even a second request when Refit was used by server-side worker jobs. | `[Headers("X: a%0d%0aContent-Length:0%0d%0a%0d%0aGET /admin HTTP/1.1")]` |
+| 2023 | Apache APISIX Dashboard | **GHSA-4h3j-f5x9-r6x3** | User-supplied `redirect` parameter was echoed into a `Location:` header without encoding, enabling open redirect + cache poisoning. | `/login?redirect=%0d%0aContent-Type:text/html%0d%0a%0d%0a<script>alert(1)</script>` |
+
+These bugs are important because they are triggered **inside application-level code** and not only at the web-server edge. Any internal component that performs HTTP requests or sets response headers must therefore enforce CR/LF filtering.
+
+### Advanced Unicode / Control-Character Bypasses
+
+Modern WAF/rewriter stacks often strip literal `\r`/`\n` but forget about other characters that many back-ends treat as line terminators. When CRLF is filtered, try:
+
+* `%E2%80%A8` (`U+2028` – LINE SEPARATOR)
+* `%E2%80%A9` (`U+2029` – PARAGRAPH SEPARATOR)
+* `%C2%85`  (`U+0085` – NEXT LINE)
+
+Some Java, Python and Go frameworks convert these to `\n` during header parsing (see the 2023 Praetorian research). Combine them with classic payloads:
+
+```
+/%0A%E2%80%A8Set-Cookie:%20admin=true
+```
+
+If the filter normalises UTF-8 first, the control character is turned into a regular line-feed and the injected header is accepted.
+
+### WAF Evasion via Duplicate `Content-Encoding` Trick (2023)
+
+Praetorian researchers also showed that by injecting:
+
+```
+%0d%0aContent-Encoding:%20identity%0d%0aContent-Length:%2030%0d%0a
+```
+
+into a reflected header, browsers will ignore the body supplied by the server and render attacker-supplied HTML that follows, giving stored XSS even when the application’s own content is inert. Because `Content-Encoding: identity` is allowed by RFC 9110, many reverse-proxies forward it unchanged.
+
 ## Automatic Tools
 
-- [https://github.com/Raghavd3v/CRLFsuite](https://github.com/Raghavd3v/CRLFsuite)
-- [https://github.com/dwisiswant0/crlfuzz](https://github.com/dwisiswant0/crlfuzz)
+* [CRLFsuite](https://github.com/Raghavd3v/CRLFsuite) – fast active scanner written in Go.
+* [crlfuzz](https://github.com/dwisiswant0/crlfuzz) – wordlist-based fuzzer that supports Unicode newline payloads.
+* [crlfix](https://github.com/glebarez/crlfix) – 2024 utility that patches HTTP requests generated by Go programs and can be used standalone to test internal services.
 
 ## Brute-Force Detection List
 
-- [https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/crlf.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/crlf.txt)
+- [carlospolop/Auto_Wordlists – crlf.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/crlf.txt)
 
 ## References
 
-- [**https://www.invicti.com/blog/web-security/crlf-http-header/**](https://www.invicti.com/blog/web-security/crlf-http-header/)
-- [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
-- [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
-- [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/)
+- [https://www.invicti.com/blog/web-security/crlf-http-header/](https://www.invicti.com/blog/web-security/crlf-http-header/)
+- [https://www.acunetix.com/websitesecurity/crlf-injection/](https://www.acunetix.com/websitesecurity/crlf-injection/)
+- [https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
+- [https://www.netsparker.com/blog/web-security/crlf-http-header/](https://www.netsparker.com/blog/web-security/crlf-http-header/)
+- [https://nvd.nist.gov/vuln/detail/CVE-2024-45302](https://nvd.nist.gov/vuln/detail/CVE-2024-45302)
+- [https://security.praetorian.com/blog/2023-unicode-newlines-bypass/](https://security.praetorian.com/blog/2023-unicode-newlines-bypass/)
 
 {{#include ../banners/hacktricks-training.md}}