CRLF Injection
What is CRLF Injection?
CRLF InjectionAn attack that inserts carriage-return and line-feed characters into HTTP headers, log files, or other text protocols to forge new lines and change semantics.
CRLF injection abuses the special meaning of the CR (0x0D) and LF (0x0A) byte sequence that terminates lines in many text-based protocols. When an application reflects unvalidated user input into HTTP response headers, log entries, SMTP commands, or LDAP queries, an attacker can inject a CRLF pair followed by additional content to forge headers, split responses, hide entries in logs, or smuggle commands. In web contexts, the most damaging form is HTTP response splitting, which can poison shared caches, set arbitrary cookies, or inject XSS into a controlled response body. Defenses include rejecting CR/LF in user input destined for headers, using high-level APIs that escape them, and strict log encoders.
● Examples
- 01
Set-Cookie: id=foo%0d%0aSet-Cookie: admin=true — adds a second cookie via CRLF.
- 02
Location: /redir%0d%0aContent-Length:0%0d%0a%0d%0a<html>... — HTTP response splitting.
● Frequently asked questions
What is CRLF Injection?
An attack that inserts carriage-return and line-feed characters into HTTP headers, log files, or other text protocols to forge new lines and change semantics. It belongs to the Attacks & Threats category of cybersecurity.
What does CRLF Injection mean?
An attack that inserts carriage-return and line-feed characters into HTTP headers, log files, or other text protocols to forge new lines and change semantics.
How does CRLF Injection work?
CRLF injection abuses the special meaning of the CR (0x0D) and LF (0x0A) byte sequence that terminates lines in many text-based protocols. When an application reflects unvalidated user input into HTTP response headers, log entries, SMTP commands, or LDAP queries, an attacker can inject a CRLF pair followed by additional content to forge headers, split responses, hide entries in logs, or smuggle commands. In web contexts, the most damaging form is HTTP response splitting, which can poison shared caches, set arbitrary cookies, or inject XSS into a controlled response body. Defenses include rejecting CR/LF in user input destined for headers, using high-level APIs that escape them, and strict log encoders.
How do you defend against CRLF Injection?
Defences for CRLF Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CRLF Injection?
Common alternative names include: Carriage return line feed injection, Log injection.
● Related terms
- vulnerabilities№ 495
HTTP Response Splitting
An injection vulnerability where untrusted CR/LF characters in user input force the server to emit additional, attacker-controlled HTTP responses.
- vulnerabilities№ 139
Cache Poisoning
An attack that stores a malicious response in a shared cache so that other users later receive the attacker's content.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 202
Command Injection
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
- appsec№ 538
Input Validation
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.
- attacks№ 759
Open Redirect
A vulnerability where an application forwards users to a URL supplied in a request parameter without validating it, enabling phishing and credential-harvesting campaigns.