The exploit is that your request went through a proxy which followed the standar... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

immibis 6 months ago | parent | context | favorite | on: CRLF is obsolete and should be abolished

The exploit is that your request went through a proxy which followed the standard (but failed to reject the bare NL) and the client sent a header after a bare NL which you think came from the proxy but actually came from the client - such as the client's IP address in a fake X-Forwarded-For, which the proxy would have removed if it had parsed it as a header.

This attack is even worse when applied to SMTP because the attacker can forge emails that pass SPF checking, by inserting the end of one message and start of another. This can also be done in HTTP if your reverse proxy uses a single multiplexed connection to your origin server, and the attacker can make their response go to the next user and desync all responses after that.

Aeolun 6 months ago [–]

Thanks, that was actually a very clear description of the problem!

The problem here is not to use one or the other, but to use a mix of both.

immibis 6 months ago | [–]

And the standard is CRLF, so you're either following the standard or using a mix.

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact