FixVibe

// sondes / spotlight

CRLF / Response Splitting

If user input lands in a response header, line breaks let the attacker write their own headers.

L'accroche

Response splitting is the network protocol equivalent of finding a typewriter and discovering the carriage-return key works. HTTP headers are delimited by `\r\n`. Any place user input gets concatenated into a header without filtering those bytes, the attacker can end one header line and start another. Modern frameworks strip CR/LF before they ever reach the wire, so most apps are immune by accident — but the bug still appears in custom header-handling code, in proxy layers that forward user-controlled values, and in language features that lag behind framework norms (raw FastCGI bridges, mod_perl, certain Lua patterns, anywhere someone wrote `header('Location: ' + req.query.next)` without the framework's redirect helper).

Comment ça marche

CRLF injection appears when user-controlled text reaches response headers without proper normalization. Attackers may be able to split headers, poison caches, or alter downstream browser behavior.

Le rayon d'impact

Cookie injection (session fixation, role escalation if the app trusts cookies for authorization). Cache poisoning across CDN edges, where one attacker request taints responses for every later visitor. XSS via injected Content-Type or HTML body. CRLF in `Location:` headers can also enable open-redirect-style phishing through legitimate-looking flows.

// what fixvibe checks

What FixVibe checks

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Défenses blindées

Strip or reject CR (`\r`, `%0d`) and LF (`\n`, `%0a`) in any user input that reaches a response header. Most modern frameworks do this automatically: Express's `res.redirect` rejects line breaks, Django's `HttpResponseRedirect` URL-encodes them, Rails sanitizes header values. The bugs cluster in custom code — proxy handlers, signed-URL generators, OAuth callback constructors, anywhere someone reaches into `res.setHeader` directly. Audit those code paths and pass user input through a strict header-value sanitizer. As a defense-in-depth measure, ensure your CDN normalizes or rejects ambiguous responses (most modern CDNs do this by default; older nginx-as-cache configurations may not). Use HTTP/2 between proxy and origin where possible — HTTP/2 frames eliminate the CR/LF parsing ambiguity entirely.

// lance-le sur ta propre app

Continue de shipper pendant que FixVibe veille.

FixVibe sonde la surface publique de ton app comme le ferait un attaquant — sans agent, sans install, sans carte. Nous continuons à rechercher de nouveaux schémas de vulnérabilités et à les transformer en checks pratiques et correctifs prêts pour Cursor, Claude et Copilot.

Aktif probes
103
tests dans cette catégorie
modules
27
vérifications aktif probes dédiées
chaque scan
384+
tests sur toutes les catégories
  • Gratuit — sans carte, sans install, sans ping Slack
  • Colle juste une URL — on crawle, on sonde, on rapporte
  • Findings classés par sévérité, dédupliqués au signal
  • Prompts de correction à jour, prêts pour Cursor, Claude, Copilot
Lancer un scan gratuit

// checks récents · correctifs pratiques · shippe sereinement

CRLF / Response Splitting — Vulnerability Spotlight | FixVibe · FixVibe