crlf-response-splitting
OfficialBypass strict CSP via CRLF response splitting
Software Engineering#xss#web-security#red-teaming#crlf-injection#response-splitting#csp-bypass#payload-construction
Authordreadnode
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill solves the issue of strict Content Security Policy (CSP) blocking all inline and external script execution even when CRLF injection is confirmed in response headers, preventing XSS attacks in these restricted environments.
Core Features & Use Cases
- Nested Response Splitting: Enables XSS execution by chaining two same-origin CRLF-injectable endpoints to bypass CSP set to script-src 'self'.
- Multiple Payload Truncation Methods: Supports delivery via missing Content-Length, Transfer-Encoding: chunked, and fixed Content-Length padding for different HTTP target configurations.
- Built-in Detection Workflow: Includes steps to confirm CRLF injection presence and validate CSP configuration to determine if nested splitting is required. Use case: For a red team assessment of a web application with strict CSP and a header parameter vulnerable to CRLF injection, use this Skill to craft a working payload that executes arbitrary JavaScript despite CSP restrictions.
Quick Start
Use the crlf-response-splitting skill to craft a nested payload that bypasses strict CSP when you have confirmed CRLF injection in a response header.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: crlf-response-splitting Download link: https://github.com/dreadnode/capabilities/archive/main.zip#crlf-response-splitting Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.