php-crlf-audit

Original：🇨🇳 Chinese

Translated

PHP Web source code CRLF/response splitting audit tool. Identifies user input that enters HTTP response headers, analyzes filtering and encoding of newlines/control characters, and outputs severity ratings, PoCs and fix suggestions (omission is prohibited).

2installs

Source0xshe/php-code-audit-skill

Added on2026-04-02

NPX Install

npx skill4agent add 0xshe/php-code-audit-skill php-crlf-audit

SKILL.md Content (Chinese)

View Translation Comparison →

PHP CRLF Response Splitting Audit (php-crlf-audit)

Analyzes PHP project source code to identify whether user-controllable data enters response headers (header), Cookies, or other parts that can be interpreted as new headers by browsers/middleware, which may cause response splitting, cache poisoning or redirection hijacking.

Severity Rating and Numbering

See details:
```
shared/SEVERITY_RATING.md
```
Vulnerability number:
```
{C/H/M/L}-CRLF-{serial number}
```

Mandatory Sink Check (Required)

Identify the following points:

The header value parameter of
```
header()
```
contains user input
The cookie name/value/domain/path of
```
setcookie()
```
contains user input
Functions/encapsulations that output to custom headers (eventually still call header)
Splicing into HTTP response headers within the returned body (rare, but still needs to be evidenced in the code)

Mandatory Filtering and Normalization Check (Required)

Must output:

Whether
```
\r
```
and
```
\n
```
are rejected or sanitized
Whether visible control characters are processed
Whether URL encoding/escaping is performed (note: incorrect "partial filtering" may be bypassed)

PoC (Required)

The actual route and controllable field name must be provided
The payload must reflect CRLF:
```
%0d%0a
```
(or
```
\r\n
```
) and explain the expected effect (e.g. inject Location or custom header)

Report Output

{output_path}/vuln_audit/crlf_{timestamp}.md

Entry Template (Required)

Must include: location evidence + data flow chain + exploit prerequisites + PoC + fix suggestions + code search statement.

Evidence Citation (Required: from php-route-tracer)

Each suspected CRLF/response splitting vulnerability must cite the corresponding evidence points in the CRLF line of

## 9) Sink Evidence Type Checklist

in the trace output item by item (the status can be pending verification, but the evidence citation must exist):

```
EVID_CRLF_OUTPUT_POINT
```
: Evidence of the location of the response header/Cookie output point (final output location such as header/setcookie)
```
EVID_CRLF_USER_INPUT_INTO_HEADER_COOKIE
```
: Evidence that user input enters the header/cookie value (including the entry point of control characters)
```
EVID_CRLF_CONTROL_CHAR_FILTERING_ENCODING
```
: Evidence of filtering/encoding of
```
\r\n
```
or control characters (corresponding fragments of rejection/sanitization/encoding implementation)

Processing for Missing Tracer Evidence (Required)

If any of the above key evidence points 1~3 cannot be located: the vulnerability status can only be marked as
```
⚠️Pending Verification
```
, and
```
✅Confirmed Exploitable
```
cannot be given directly.