Header Reflection

CRLF Response Splitting

The redirect handler stuffs the `next` parameter into the `Location` header without stripping CRLF, allowing attackers to inject extra response headers.

CWE-93CWE-113
Back to hub Reload scenario
Splitting probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • `next` value is written to `Location` without sanitization.
  • CRLF sequences create additional response headers.
  • Same flaw affects redirect emails and 302 chains.
    • 
        

      


      

      

        
Signals

        
        

          
Code

          
w.Header().Set("Location", req.URL.Query().Get("next"))

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.