Improper Neutralization of CRLF Sequences in HTTP Headers


A function call contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and cross-site scripting attacks.


Remove unexpected carriage returns and line feeds from untrusted data used to construct an HTTP response. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

A simple string extension can resolve this issue:

public static string CRLFRemoval(this string token)


    return token.Replace("%0d", string.Empty, StringComparison.InvariantCultureIgnoreCase)

                .Replace("%0D", string.Empty, StringComparison.InvariantCultureIgnoreCase)

                .Replace("\r", string.Empty)

                .Replace("\n", string.Empty)

                .Replace("%0a", string.Empty, StringComparison.InvariantCultureIgnoreCase)

                .Replace("%0A", string.Empty, StringComparison.InvariantCultureIgnoreCase);


Links for reference: