FixVibe

// sondeos / spotlight

CRLF / División de respuesta

Si la entrada del usuario llega a una cabecera de respuesta, los saltos de línea le dejan escribir sus propias cabeceras.

El gancho

Response splitting is the network protocol equivalent of finding a typewriter and discovering the carriage-return key works. HTTP headers are delimited by `\r\n`. Any place user input gets concatenated into a header without filtering those bytes, the attacker can end one header line and start another. Modern frameworks strip CR/LF before they ever reach the wire, so most apps are immune by accident — but the bug still appears in custom header-handling code, in proxy layers that forward user-controlled values, and in language features that lag behind framework norms (raw FastCGI bridges, mod_perl, certain Lua patterns, anywhere someone wrote `header('Location: ' + req.query.next)` without the framework's redirect helper).

Cómo funciona

CRLF injection appears when user-controlled text reaches response headers without proper normalization. Attackers may be able to split headers, poison caches, or alter downstream browser behavior.

El radio de impacto

Cookie injection (session fixation, role escalation if the app trusts cookies for authorization). Cache poisoning across CDN edges, where one attacker request taints responses for every later visitor. XSS via injected Content-Type or HTML body. CRLF in `Location:` headers can also enable open-redirect-style phishing through legitimate-looking flows.

// what fixvibe checks

What FixVibe checks

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Defensas a prueba de balas

Strip or reject CR (`\r`, `%0d`) and LF (`\n`, `%0a`) in any user input that reaches a response header. Most modern frameworks do this automatically: Express's `res.redirect` rejects line breaks, Django's `HttpResponseRedirect` URL-encodes them, Rails sanitizes header values. The bugs cluster in custom code — proxy handlers, signed-URL generators, OAuth callback constructors, anywhere someone reaches into `res.setHeader` directly. Audit those code paths and pass user input through a strict header-value sanitizer. As a defense-in-depth measure, ensure your CDN normalizes or rejects ambiguous responses (most modern CDNs do this by default; older nginx-as-cache configurations may not). Use HTTP/2 between proxy and origin where possible — HTTP/2 frames eliminate the CR/LF parsing ambiguity entirely.

// ejecútalo en tu propia app

Sigue lanzando mientras FixVibe vigila.

FixVibe somete la superficie pública de tu app a la misma presión que un atacante — sin agente, sin instalación, sin tarjeta. Seguimos investigando nuevos patrones de vulnerabilidad y los convertimos en checks prácticos y fixes listos para Cursor, Claude y Copilot.

Sondeos activos
103
tests en esta categoría
módulos
27
checks dedicados de sondeos activos
cada scan
384+
tests en todas las categorías
  • Gratis — sin tarjeta, sin instalación, sin ping de Slack
  • Solo pega una URL — nosotros crawleamos, sondeamos y reportamos
  • Hallazgos clasificados por severidad, deduplicados al puro signal
  • Prompts de fix actuales, listos para Cursor, Claude, Copilot
Ejecutar un escaneo gratis

// checks actuales · fixes prácticos · lanza con confianza

CRLF / División de respuesta — Spotlight de Vulnerabilidad | FixVibe · FixVibe