LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Another 1500$: CR/LF Injection

3 months ago 22
BOOK THIS SPACE FOR AD
ARTICLE AD

Abhi Sharma

InfoSec Write-ups

Hi Everyone, How you all doing. Recently, while assessing the security of HuliaHub(Pseudonym of a private bbp), I found a critical CR/LF vulnerability. This marks my second CR/LF injection vulnerability found in this particular program within a month, highlighting the importance of rigorous security testing and patching.

Understanding CR/LF (Carriage Return/Line Feed) Injection

CR/LF (Carriage Return/Line Feed) injection is a type of security vulnerability. CR/LF refers to a sequence of two ASCII control characters: Carriage Return (CR, ASCII code 13) and Line Feed (LF, ASCII code 10). CR/LF injection vulnerabilities occur when attackers insert CR/LF characters into input fields, parameters, file extensions or file uploads to manipulate application behavior. This can lead to exploits such as altering headers, injecting malicious code, or manipulating file content.

Discovery of the Vulnerability

The CR/LF vulnerability found in HuliaHub’s authentication mechanism allows attackers to manipulate the redirect URL parameter during user authentication. This manipulation involves injecting special characters (%0D%0A), commonly used to denote new lines in HTTP headers. This vulnerability enables attackers to perform malicious actions post-authentication.

Reconnaissance and Testing

Read Entire Article
  3. Another 1500$: CR/LF Injection

Related

race condition on BBP

race condition on BBP

My Bug Bounty Hunting Methodology

My Bug Bounty Hunting Methodology

How i got 3 bugs from the wayback urls?

How i got 3 bugs from the wayback urls?

TryHackMe | NoSQLi Walkthrough

TryHackMe | NoSQLi Walkthrough

Beginner’s Guide to Ethical Hacking: What I Learned from My First Bug Bounty

Beginner’s Guide to Ethical Hacking: What I Learned from My First Bug Bounty

Android Pentesting can make you $500/day.

Android Pentesting can make you $500/day.

Trending

1. Gujarat Titans
2. Jofra Archer
3. Chess
4. Ipswich Town vs Man United
5. Kerala Blasters
6. SRH Retained Players 2025
7. Southampton vs Liverpool
8. Venkatesh Iyer
9. Harry Brook
10. CSK

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved