Project: drogon
Tested Version: v1.8.4
Github Repository: https://github.com/drogonframework/drogon
drogon
is vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader
function. An attacker can add the \r\n
(carriage return line feeds) characters and inject additional headers in the request sent.
More reference about this vulnerability and its impact:
- https://owasp.org/www-community/vulnerabilities/CRLF_Injection
- https://cwe.mitre.org/data/definitions/113.html
Reference to similar issues affecting other projects:
- https://security.snyk.io/vuln/SNYK-SWIFT-SWIFTSERVERASYNCHTTPCLIENT-3237994
- https://security.snyk.io/vuln/SNYK-JS-UNDICI-2980276
-
install dependencies (tested on Ubuntu): https://github.com/drogonframework/drogon/wiki/ENG-02-Installation#system-preparation-examples
-
install the project: https://github.com/drogonframework/drogon/wiki/ENG-02-Installation#drogon-installation
The PoC demonstrates how it's possible to add arbitrary headers and perform 2
requests in a single API call.
- create a web server to log incoming requests:
drogon_ctl --version
A utility for drogon
Version: 1.8.4
Git commit: 87a3132fd1c0da1a88e080c879a9e55af71586be
drogon_ctl create project server
-
paste the server code in
main.cc
-
build and run the server
cd build
cmake ..
make
./server
- create a client that sends requests with headers contains CRLF characters
drogon_ctl create project client
-
paste the client code in
main.cc
(inspired by https://github.com/drogonframework/drogon/blob/master/examples/client_example/main.cc) -
build and run the client
cd build
cmake ..
make
./client
Server Logs:
test1 request received
HEADERS
evil=hello1
myheader=A
connection=Keep-Alive
host=localhost:8081
user-agent=DrogonClient
test2 request received
HEADERS
evil=hello2
If untrusted user input is placed in header values, a malicious user could inject additional headers. It can lead to logical errors and other misbehaviours.
Alessio Della Libera