HIGH crlf injectionfeathersjshmac signatures

Crlf Injection in Feathersjs with Hmac Signatures

Scan for crlf injection in feathersjs

Crlf Injection in Feathersjs with Hmac Signatures — how this specific combination creates or exposes the vulnerability

Crlf Injection occurs when an attacker can inject carriage return (CR, \r) and line feed (\n) characters into a header or key-value segment of an HTTP message. In Feathersjs applications that use Hmac Signatures for request authentication, this becomes particularly dangerous because the injected newline can allow an attacker to create a second, malicious signature line without invalidating the first valid line. Many Hmac verification schemes concatenate headers (such as timestamp and nonce) with a secret to compute an Hmac. If a developer splits that string on newline characters and processes only the first line, an attacker-supplied newline can terminate the expected data and append a new line that the server may still accept.

Consider a Feathersjs service that expects an Authorization header formatted as HMAC timestamp=1700000000,nonce=abc123 and computes the Hmac over the string timestamp=1700000000\nnonce=abc123. If the attacker can inject a newline, they might send timestamp=1700000000\nonce=abc123\nextradata=value. Some implementations that split on newline and take the first segment will compute the correct Hmac for timestamp=1700000000\nonce=abc123 and then ignore the extra line, effectively accepting a request that includes attacker-controlled parameters (extradata). This can lead to BOLA/IDOR-like outcomes when the extra data influences resource selection or bypasses intended constraints.

Input validation that does not reject \r or \n in header values compounds the risk. For example, if a timestamp header is used without sanitization, an attacker can inject newlines to manipulate parsing logic. Even if the Hmac is computed over the full header string, a newline in an unexpected place can change how parsers split key-value pairs, enabling header smuggling or parameter injection. Rate limiting and data exposure checks may also be bypassed if injected lines alter how request metadata is interpreted by the application or by an API gateway that relies on newline-sensitive parsing.

To detect this pattern, middleBrick scans for the presence of \r or \n in header values and examines how the server parses multi-line inputs. The LLM/AI Security checks specifically look for prompt injection techniques that rely on newline manipulation, which parallels how newline injection can subvert parsing logic in APIs. Observability into whether the server distinguishes lines versus treating input as a single blob helps identify whether Crlf Injection is feasible in the Hmac flow.

Hmac Signatures-Specific Remediation in Feathersjs — concrete code fixes

Remediation centers on strict input validation, canonical construction of the signed string, and robust parsing that does not rely on simple newline splits. Ensure that header values do not contain \r or \n, and enforce a single, deterministic format for the data that is signed.

First, sanitize and normalize inputs before building the string to sign. For timestamp and nonce, reject any values containing carriage returns or line feeds:

function sanitize(value) {
  if (typeof value !== 'string') throw new Error('Invalid type');
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid characters in input');
  }
  return value;
}

const timestamp = sanitize(req.headers['x-timestamp']);
const nonce = sanitize(req.headers['x-nonce']);

Second, construct the string to sign in a canonical way that does not depend on split behavior. Use a clearly defined delimiter that is not allowed in inputs, and avoid newlines:

const stringToSign = `timestamp=${timestamp},nonce=${nonce}`;
const expectedSignature = crypto.createHmac('sha256', secret).update(stringToSign).digest('hex');

Third, verify the signature in a single, constant-time comparison to avoid leaking information via timing differences. Do not re-parse the raw header with line-based splits; instead, extract parameters from the already-sanitized values:

const providedSignature = req.headers['authorization']?.replace('HMAC ', '');
if (!crypto.timingSafeEqual(Buffer.from(expectedSignature), Buffer.from(providedSignature))) {
  throw new Error('Invalid signature');
}

Finally, enforce strict schema validation for incoming headers and body parameters. MiddleBrick’s Property Authorization and Input Validation checks can highlight cases where newline characters are accepted. When using the CLI to scan from terminal with middlebrick scan <url>, you can quickly identify endpoints that accept unsafe header values. For teams needing continuous oversight, the Pro plan’s continuous monitoring and GitHub Action integration can fail builds if risk scores exceed your defined thresholds, helping prevent regressions that could reintroduce newline-sensitive parsing issues.

These steps ensure that Hmac verification in Feathersjs remains resilient against Crlf Injection, while keeping the signed string deterministic and the verification logic simple and robust.

Scan for crlf injection in feathersjs Free API security scan

Frequently Asked Questions

How can I test my Feathersjs Hmac endpoint for Crlf Injection using middleBrick?
Run middleBrick against your endpoint using the CLI: middlebrick scan . The scan will include Input Validation and Property Authorization checks that flag the acceptance of \r or \n in headers, and the LLM/AI Security tests can surface newline-based injection patterns relevant to API parsing.
Does the Pro plan help prevent Crlf Injection regressions in CI/CD?
Yes. With the GitHub Action, you can add API security checks to your CI/CD pipeline and fail builds if the risk score drops below your threshold. Continuous monitoring in the Pro plan also schedules regular scans so issues tied to newline-sensitive parsing are caught early.

Related Pages

Crlf Injection in FeathersjsCRLF Injection in Feathersjs applications: how to detect and prevent header injection attacks in your Node.js API using Crlf Injection with Hmac SignaturesCRLF injection in HMAC signatures allows attackers to manipulate signed HTTP headers, bypassing authentication. Learn spCrlf Injection in Feathersjs on Fly IoCrlf Injection in Feathersjs with Fly Io and Fly Io-specific remediation with safe code examples.Crlf Injection in Feathersjs on SupabaseUnderstand and remediate CRLF Injection in Feathersjs with Supabase: attack mechanics, validation hooks, Supabase-safe cCrlf Injection in Feathersjs on RailwayUnderstand and remediate Crlf Injection in Feathersjs on Railway with concrete code examples and middleBrick scanning guPci Dss: Crlf Injection in FeathersjsExplore PCI DSS implications of CRLF Injection in FeathersJS, with concrete remediation examples and middleBrick scanninSoc2: Crlf Injection in FeathersjsExplore how Soc 2 requirements intersect with Crlf Injection in Feathersjs APIs, with concrete remediation code examplesIso 27001: Crlf Injection in FeathersjsExplore ISO 27001 controls relevant to Crlf Injection in FeathersJS, with concrete remediation code examples and how midCis: Crlf Injection in FeathersjsCis in Crlf Injection with Feathersjs: risks and Feathersjs-specific remediation with code examples and middleBrick scanCrlf Injection in Feathersjs with FirestoreExplore Crlf Injection in Feathersjs with Firestore, understand the risks, and apply Firestore-specific remediation withCrlf Injection in Feathersjs with DynamodbExplore Crlf Injection risks in Feathersjs with Dynamodb, understand the attack surface, and apply DynamoDB-specific remCrlf Injection in Feathersjs with CockroachdbUnderstand Crlf Injection in Feathersjs with Cockroachdb and apply concrete fixes with code examples to prevent header s