# Week 50 - CRLF Injection This week’s web hacking tip is on Carriage Return and Line Feed (CRLF) Injection!\ \ [#CRLF](https://www.linkedin.com/feed/hashtag/?keywords=crlf\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7017142738684891136) Injection occurs when an attacker can insert special characters (into a URL or parameter) that split the HTTP Response. These special characters are:\ \ %0d => Carriage Return\ %0a => Line Feed\ \ When un-sanitized, these characters are interpreted by the web server as a new line. Meaning the web server will create a new line in the HTTP response (see attached image).\ \ How can I discover it?\ \ Look for user input that is taken from GET/POST parameters and reflected into server response headers! Some common areas this occurs are in the “Location: \” response header as well as the “Set-Cookie: \” response header. If you have any other tips for discovery, let me know in the comments.\ \ Who cares?\ \ CRLF can allow an attacker to manipulate server-side files (such as logs) by adding new lines to them. But more importantly, it can allow HTTP Response Splitting:\ \ HTTP Response Splitting allows us to add a new response header, which can result in redirecting users or even session hijacking. For example, injecting a “Location: x” response header allows us to redirect the user. Injecting a “Set-Cookie: x” response header can allow for cookie injection!\ \ We could even use CRLF to generate an entire second response from the server, which we would completely control.\ \ How do you fix it?\ \ Apply HTML encoding and properly sanitize any user input before sending a response back to the browser.\ ![](/files/aWoEDXtlxdamCh9qZ2te) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/week-50-crlf-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.