FixVibe

// probes / spotlight

CRLF / Response Splitting

If user input lands in a response header, line breaks let the attacker write their own headers.

Olta

Response splitting is the network protocol equivalent of finding a typewriter and discovering the carriage-return key works. HTTP headers are delimited by `\r\n`. Any place user input gets concatenated into a header without filtering those bytes, the attacker can end one header line and start another. Modern frameworks strip CR/LF before they ever reach the wire, so most apps are immune by accident — but the bug still appears in custom header-handling code, in proxy layers that forward user-controlled values, and in language features that lag behind framework norms (raw FastCGI bridges, mod_perl, certain Lua patterns, anywhere someone wrote `header('Location: ' + req.query.next)` without the framework's redirect helper).

Nasıl çalışır

CRLF injection appears when user-controlled text reaches response headers without proper normalization. Attackers may be able to split headers, poison caches, or alter downstream browser behavior.

Etki yarıçapı

Cookie injection (session fixation, role escalation if the app trusts cookies for authorization). Cache poisoning across CDN edges, where one attacker request taints responses for every later visitor. XSS via injected Content-Type or HTML body. CRLF in `Location:` headers can also enable open-redirect-style phishing through legitimate-looking flows.

// fixvibe neyi kontrol eder

FixVibe neyi kontrol eder

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Sağlam savunmalar

Strip or reject CR (`\r`, `%0d`) and LF (`\n`, `%0a`) in any user input that reaches a response header. Most modern frameworks do this automatically: Express's `res.redirect` rejects line breaks, Django's `HttpResponseRedirect` URL-encodes them, Rails sanitizes header values. The bugs cluster in custom code — proxy handlers, signed-URL generators, OAuth callback constructors, anywhere someone reaches into `res.setHeader` directly. Audit those code paths and pass user input through a strict header-value sanitizer. As a defense-in-depth measure, ensure your CDN normalizes or rejects ambiguous responses (most modern CDNs do this by default; older nginx-as-cache configurations may not). Use HTTP/2 between proxy and origin where possible — HTTP/2 frames eliminate the CR/LF parsing ambiguity entirely.

// run it on your own app

Sen yayınlamaya devam et, FixVibe gözcülüğü üstlensin.

FixVibe, uygulamanın herkese açık yüzeyini bir saldırganın yapacağı şekilde basınç altına sokar — ajan yok, kurulum yok, kart yok. Yeni zafiyet örüntülerini araştırmaya devam edip onları pratik check’lere ve Cursor, Claude ve Copilot için kopyalayıp yapıştırılabilir düzeltmelere dönüştürüyoruz.

Aktif problar
127
bu kategoride çalıştırılan testler
modules
48
aktif problar için özel check’ler
her tarama
487+
tüm kategorilerde testler
  • Ücretsiz — kredi kartı yok, kurulum yok, Slack mesajı yok
  • Sadece bir URL yapıştır — biz tarar, sondalar ve raporlarız
  • Önem dereceli, yalnızca sinyale ayıklanmış bulgular
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Ücretsiz tarama başlat

// latest checks · practical fixes · ship with confidence

CRLF / Response Splitting — Zafiyet Spotlight | FixVibe · FixVibe