CRLF injection / HTTP response splitting TL;DR: %0d%0a in user input breaks out of headers — split responses, set cookies, plant XSS, poison caches. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://owasp.org/www-community/vulnerabilities/CRLF_Injection