Sucuri: [] CRLF Injection

ID H1:144769
Type hackerone
Reporter bobrov
Modified 2016-10-24T22:25:33


PoC (any browser except FireFox):;;

HTTP Response: HTTP/1.1 301 Moved Permanently Date: Tue, 14 Jun 2016 19:56:14 GMT Server: Apache Location: <= injeciton \r Set-Cookie:crlf=injection;;

This vulnerability could be used in combination with others. For example, XSS via Cookie or session fixation.