Hello, Khabrovites! In anticipation of the start of classes in the next group of the professional course "Web Application Security" , we have prepared for you another useful translation.
What is CRLF?
-, , HTTP- , . HTTP- HTML- ( ) , (carriage return) (line feed). CRLF.
- CRLF, , HTTP- . CRLF - , . CRLF β HTTP/1.1, -, Apache, Microsoft IIS .
CRLF-?
CRLF- , , - , , , . , CRLF- , HTTP- (HTTP Response Splitting).
CRLF- -
- CRLF- , , . , -. CRLF- - , OWASP Top 10. , , .
CRLF-
IP β β , :
123.123.123.123 - 08:15 - /index.php?page=homeCRLF- HTTP-, . - - :
/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit%0d %0a β URL CR LF. , , , :
IP β β
123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit, CRLF-, , . hijacking . , , restrictedaction, .
, , IP restrictedaction, , - . , localhost (, , , -, , , ), .
, %0d%0a . & restrictedaction, , . , , :
/index.php?page=home&restrictedaction=editHTTP Response Splitting
HTTP- CRLF, . CRLFCRLF , . , HTML-. .
HTTP Response Splitting, XSS
, , :
X-Your-Name: BobGET- Β«nameΒ». URL- , CRLFCRLF, . , , XSS:
?name=Bob%0d%0a%0d%0a<script>alert(document.domain)</script>.
HTTP-
CRLF-, HTTP-, , XSS- (same-origin-policy). , CSRF-. cookie, (XSS).
HTTP-
HTTP-, CORS (Cross Origin Resource Sharing), javascript , SOP (Same Origin Policy), .
CRLF-
CRLF- XSS . , XSS Same Origin Policy , .
CRLF/HTTP- -
β . , CRLF. β , CR LF , HTTP-.
