
When we do our GET request, we get a response that says:
HTTP/1.x 302 Moved Temporarily
Content-Length: 0
Location: http://www.ebay.com/
That’s easy, but what happens if instead of the Location URL we add a set of
control characters, such as CRLF, represented as 0d (CR) 0a (LF) in hexadecimal.
We use CRLF because according to the RFC, it’s required after every new
header and plays a significant role in regard to interpretation by the HTTP
server. When we feed this into the query parameter, our outcome is:
[Our URL]
http://ebay.doubleclick.net/clk;16822042;11392512;s%3f%0d%0a
[Client Request Headers]
GET /clk;16822042;11392512;s%3f%0d%0a HTTP/1.1
Host: ebay.doubleclick.net ...