Request for Adding CRLF Injection Check to ASVS #1561
Comments
|
It's not in special spotlight, but it is covered by 5.3.1:
If to go to separate requirement, then it should be more abstract to cover also emails etc, like: |
|
What do you think about this one? |
|
I do not know if this is all correct information but I really like the level of precision |
|
The other issue is that many (most) frameworks handle this automatically. Do you know where this defense is needed and where this is automatically protected in frameworks? |
|
Hi @jmanico , we can find CRLF injection write-ups in well-known companies, for example: |
@elarlang is this vulnerability covered by this:
|
|
@ImanSharaf @jmanico @elarlang I think I agree with @elarlang that this requirement seems to cover CRLF in HTTP headers
I think overall this requirement needs some work but technically it is covered. Any further comments @ImanSharaf or @jmanico ? |
tghosth
added
2) Awaiting response
|
Yes, my example is covered by 5.2.3 but also matches to CRLF injection topic. From ASVS side the question is - is CRLF injection widespread and critical enough to have separate requirement for giving it extra attention or are we happy to have it covered by 5.3.1? |
|
I have not seen any significant CLRF
I am not sure of this either, but ImanSharaf seems to give us good recent information that CLRF is found recently in some rather large bug bounties... |
|
Thank you for your response and for pointing out that ASVS 5.3.1 does technically cover CRLF Injection in HTTP headers. However, I would like to express my concern that the current wording of 5.3.1 might not explicitly highlight the importance of testing for CRLF Injection attacks. As a result, testers might inadvertently overlook this specific attack vector when performing security assessments. |
|
Compared to other relatively exotic issues for new requirements, CRLF is actually exists and I think it makes sense to have more attention to it. Should it be in separate requirement or clearly said out in some other requirement is another question. Maybe we need to split up this monster list of technologies from 5.3.1 and then those separate requirements can fit more examples. |
|
For the record - "I'm ok with it" was for content as "I'm ok with it (as it's technically correct)" and does not mean it can not be improved :) |
I noticed that the current version of the Application Security Verification Standard (ASVS) does not include a check for CRLF Injection vulnerabilities. CRLF Injection is a type of injection attack that involves inserting CRLF characters (carriage return and line feed) into an HTTP request or response to manipulate the message's headers or body. This can lead to a range of security issues, such as HTTP response splitting, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Given the severity and prevalence of CRLF Injection attacks, I recommend that ASVS includes a specific check for this vulnerability. This would help organizations to identify and mitigate CRLF Injection vulnerabilities in their web applications, and ensure that their applications are secure against this type of attack.
A sample check could be this one:
Verify that input validation and encoding of HTTP request and response headers and bodies is performed to prevent CRLF Injection attacks. Verify that the application does not allow CRLF characters (i.e. '\r', '\n', '%0d', '%0a') to be injected into HTTP headers and bodies.
The text was updated successfully, but these errors were encountered: