CRLF injection inserts carriage return and line feed characters (%0d%0a) into a response where user input is reflected into HTTP headers. Because CRLF marks the boundary between headers and between headers and the body, injecting it lets an attacker add new headers or split the response entirely.
Beyond %0d%0a, try double encoding (%250d%250a), unicode forms, or lone %0a where the parser is lenient. The CRLF Injection generator outputs these encoding variants so you can probe header-reflection points that strip the obvious literal carriage return and line feed.
Header injection adds or overrides a single header, such as injecting a malicious Set-Cookie or a redirect Location. Response splitting goes further by injecting a full second set of headers and body after a blank line, enabling cache poisoning or reflected XSS in the smuggled body. The generator covers both.
Yes. It is free and runs 100% in your browser, so your CRLF payloads never touch a server. It is provided for authorized penetration testing, bug bounty work, and CTFs only.