Project: libhv
Tested Version: v1.3.0
(commit 579938146ff0cd99d379c038bea80d3241c5bc36
)
Github Repository: https://github.com/ithewei/libhv
libhv
is vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n
(carriage return line feeds) characters and inject additional headers in the request sent.
References about this vulnerability and its impact:
- https://owasp.org/www-community/vulnerabilities/CRLF_Injection
- https://cwe.mitre.org/data/definitions/113.html
References to similar issues affecting other projects:
- https://security.snyk.io/vuln/SNYK-SWIFT-SWIFTSERVERASYNCHTTPCLIENT-3237994
- https://security.snyk.io/vuln/SNYK-JS-UNDICI-2980276
Install and build the project https://github.com/ithewei/libhv#%EF%B8%8F-build
git clone https://github.com/ithewei/libhv.git
cd libhv
mkdir build
cd build
cmake ..
cmake --build .
The PoC demonstrates how it's possible to add arbitrary headers.
- create and start local server to log incoming requests:
python3 server.py
-
paste the
http_client_test.cpp
content under https://github.com/ithewei/libhv/blob/master/examples/http_client_test.cpp -
run the client
cmake --build .
./bin/http_client_test
Server logs:
Starting server...
GET request,
Path: /test1
Headers:
Accept: */*
Connection: keep-alive
Host: 127.0.0.1:8080
MyHeader: test
evil: hello1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
127.0.0.1 - - [16/May/2023 12:20:28] "GET /test1 HTTP/1.1" 200 -
If untrusted user input is placed in header values, a malicious user could inject additional headers. It can lead to logical errors and other misbehaviours.
Alessio Della Libera
我的理解是: 一般不会产生什么问题, 终究还是web应用的问题, 没有对输入做验证, 举个例子:
有个url是
example.com/?last_visited_blog_id=10
, 然后服务端没有验证last_visited_blog_id
的参数是不是个数字, 就直接在response里加了一个:的头, 这时攻击者造了一个请求
example.com/?last_visited_blog_id=10\r\nset-cookie=123\r\ncontent-type:text/html\r\n\r\n<html><scritp>alert("123")</script></html>
(为了直观这里我没有对\r\n这些转义), 假设浏览器用了libhv现在的处理方式, 那么此时浏览器收到的请求就变成了既然能注入, 那就大有可为了.