Notifications
Clear all
Topic starter 16/08/2025 6:34 pm
HTTP Response Splitting is a web application vulnerability that allows attackers to manipulate the structure of HTTP responses by injecting malicious input—specifically carriage return (CR) and line feed (LF) characters—into HTTP headers.
🧠 What Is HTTP Response Splitting?
It occurs when:
- A web application includes untrusted user input directly in an HTTP response header.
- The input is not properly sanitized, allowing special characters like
\r(CR) and\n(LF) to sneak in. - These characters split the response into multiple parts, creating additional headers or responses that the attacker controls.
🧨 Why It’s Dangerous
Attackers can use HTTP response splitting to:
- Inject malicious content into the response body.
- Perform cross-site scripting (XSS) attacks.
- Execute web cache poisoning, tricking caches into storing harmful content.
- Hijack pages or redirect users to malicious sites.
🧪 Example
Imagine a vulnerable app that sets a cookie using user input:
String author = request.getParameter("author");
Cookie cookie = new Cookie("author", author);
response.addCookie(cookie);
If an attacker submits:
Wiley Hacker\r\nContent-Length:999\r\n\r\n<html>malicious content</html>
The server might respond with:
HTTP/1.1 200 OK
Set-Cookie: author=Wiley Hacker
Content-Length: 999
<html>malicious content</html>
This splits the response and injects malicious HTML into the body.
🛡️ How to Prevent It
| Strategy | Description |
|---|---|
| Sanitize Input | Remove or encode CR (\r) and LF (\n) characters. |
| Use URL Encoding | Encode user input before inserting into headers. |
| Framework Protections | Use modern frameworks that automatically sanitize headers (e.g., Django, Node.js, PHP ≥ 5.1.2). |
| Validate Data Types | Cast inputs to expected types (e.g., integers) to avoid unexpected characters. |
