# Week 50 - CRLF Injection This week’s web hacking tip is on Carriage Return and Line Feed (CRLF) Injection!\ \ [#CRLF](https://www.linkedin.com/feed/hashtag/?keywords=crlf\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7017142738684891136) Injection occurs when an attacker can insert special characters (into a URL or parameter) that split the HTTP Response. These special characters are:\ \ %0d => Carriage Return\ %0a => Line Feed\ \ When un-sanitized, these characters are interpreted by the web server as a new line. Meaning the web server will create a new line in the HTTP response (see attached image).\ \ How can I discover it?\ \ Look for user input that is taken from GET/POST parameters and reflected into server response headers! Some common areas this occurs are in the “Location: \” response header as well as the “Set-Cookie: \” response header. If you have any other tips for discovery, let me know in the comments.\ \ Who cares?\ \ CRLF can allow an attacker to manipulate server-side files (such as logs) by adding new lines to them. But more importantly, it can allow HTTP Response Splitting:\ \ HTTP Response Splitting allows us to add a new response header, which can result in redirecting users or even session hijacking. For example, injecting a “Location: x” response header allows us to redirect the user. Injecting a “Set-Cookie: x” response header can allow for cookie injection!\ \ We could even use CRLF to generate an entire second response from the server, which we would completely control.\ \ How do you fix it?\ \ Apply HTML encoding and properly sanitize any user input before sending a response back to the browser.\ ![](https://3053998085-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxZo6Sim2dDXChJQAtNXN%2Fuploads%2F9Fwnjlw1ktEKKHgqW5vQ%2Fimage.png?alt=media\&token=f8d7a698-d15e-44f7-ade4-5153d248f8df)