HTTP response splitting

Persistence Compression HTTPS QUIC
Request methods
OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT PATCH
Header fields
Cookie ETag Location HTTP referer DNT X-Forwarded-For
Response status codes
301 Moved Permanently 302 Found 303 See Other 403 Forbidden 404 Not Found 451 Unavailable for Legal Reasons
Security access control methods
Basic access authentication Digest access authentication
Security vulnerabilities
HTTP header injection HTTP request smuggling HTTP response splitting HTTP parameter pollution
v t e

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.

The attack consists of making the server print a

standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.

Prevention

The generic solution is to

such as Location or Set-Cookie.

Typical examples of sanitization include casting to integers or aggressive regular expression replacement. Although response splitting is not specific to PHP, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2.^[1]

References

External links

• Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. Amit Klein, 2004.
• Target Web Application Vulnerable to HTTP Header Injection
• HTTP Response Splitting, The Web Application Security Consortium
• Wapiti Open Source XSS, Header, SQL and LDAP injection scanner
• LWN article
• CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
• HTTP Response Splitting Attack - OWASP
• CRLF Injection - OWASP