-
Notifications
You must be signed in to change notification settings - Fork 214
CRLF Injection
Sam Sanoop edited this page Jan 13, 2026
·
1 revision
-
Scenario: An admin page (
/admin.html) allows viewing recent system login activity. -
Vulnerability: The login process logs the
usernamedirectly into the system logs without sanitization. An attacker can inject CRLF characters (%0d%0aor\n) into their username during a login attempt. -
Impact: This allows Log Forgery/Pollution. The attacker can inject fake log entries (e.g., "User 'admin' logged in successfully") that appear as legitimate, separate lines in the admin log viewer, potentially covering their tracks or confusing administrators.
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- API Endpoint Brute Forcing
- CRLF Injection
- XML Injection
- XML Bomb Denial‐of‐Service
- SOAP Injection
- JSON CSRF
- LDAP Injection
- Rate Limit Bypass
- Client Side Template Injection