Redis Cache Poisoner
💉 Can you inject Redis commands through their note caching system?
A note caching API constructs Redis commands using string concatenation, creating opportunities for CRLF injection attacks. When user input meets insufficient sanitization, even simple note storage can become a pathway to Redis command injection and session manipulation. 🎯 Time to test your protocol injection skills!
CRLF injection is a web security vulnerability that occurs when an attacker can inject carriage return (CR, ) and line feed (LF, ) characters into application input that is used to construct protocol commands. When this vulnerability exists in applications that interact with Redis, it becomes a powerful attack vector for cache poisoning, session hijacking, and privilege escalation through arbitrary Redis command injection.
Understanding CRLF Injection in Redis
Redis uses a text-based protocol called RESP (Redis Serialization Protocol) where commands are separated by CRLF sequences. When an application constructs Redis commands by concatenating user input without sanitizing CRLF characters, an attacker can terminate the intended command prematurely and inject additional Redis commands. This is similar in principle to SQL injection, but targets the Redis protocol instead of SQL queries. Any application that builds Redis commands through string concatenation rather than using parameterized clients is potentially vulnerable.
Cache Poisoning Attack Techniques
Cache poisoning through Redis command injection allows attackers to write arbitrary key-value pairs into the cache. In applications that store session data in Redis, this can lead to session hijacking or privilege escalation. By injecting commands like SET session:admin_token, an attacker can create or overwrite session data to impersonate privileged users. Other attack scenarios include poisoning cached HTML content to deliver malicious scripts, modifying application configuration stored in Redis, or using EVAL commands to execute Lua scripts on the Redis server.
Real-World Impact and Prevention
CRLF injection vulnerabilities affecting caching systems have been found in production applications across various industries. The consequences range from data tampering to complete application compromise. Prevention requires using Redis client libraries that properly handle command parameterization, sanitizing all user input for CRLF characters before incorporating it into any protocol commands, and implementing access controls on Redis instances. Security professionals must understand these attack patterns to effectively identify them during penetration testing engagements.
What You Will Learn
- Understand how CRLF injection enables Redis command injection
- Learn the Redis RESP protocol and how commands are structured
- Practice cache poisoning techniques to manipulate session data
- Study privilege escalation through Redis session hijacking
- Recognize vulnerable code patterns involving string concatenation in protocol commands
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free
