A nice use of the a CRLF Injection to exploit a seemingly unexploitable injection because the browser wouldn’t render the page when a Location header was present. Basically just used the CRLF injection ot inject a Connection: Location header, telling the proxy to treat the Location header as a hop-by-hop header and drop it before passing it on to the end-user. Without the location header present even though it was a HTTP 302 response the browser would render the page with attacker controlled content.