CRLF Injection / HTTP Response Splitting

What it is

Carriage-return/line-feed injection into the response, enabling header injection, cache poisoning, and response splitting.

How attackers abuse it

Untrusted input is interpreted as code or query syntax by some backend (a template, a NoSQL or LDAP query, an XML parser, or the HTTP response itself). Depending on the target, this leaks data, bypasses auth, or runs code.

Attacker playbook

1. 1Find where input is parsed or evaluated by a backend component.
2. 2Inject syntax for that component and observe an error or behavior change.
3. 3Refine the payload to extract data, bypass a check, or escalate to code execution.

How VibeSec detects and confirms it

VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native and Wapiti. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.

If this is in your report: how to fix it

• Treat all input as data, never as code or query syntax.
• Use parameterized or safe APIs for the component involved, and disable dangerous features (like template eval) on untrusted input.
• Validate against an allow-list and encode output for its context.