Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is HTTP Response Splitting and How Does it Work?
  • One Simple HTTP Response Splitting Attack Example
  • HTTP Response Splitting Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in preventing HTTP Response Splitting?
  • We'd love your feedback!

Was this helpful?

  1. Fixing Guides

HTTP Response Splitting Attacks

Learn how to prevent HTTP Response Splitting attacks with real code examples and best practices. Protect your web applications from header manipulation and response injection vulnerabilities.

Tools recognizing this:

Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is HTTP Response Splitting and How Does it Work?

HTTP Response Splitting is a web security vulnerability that occurs when an attacker can inject newline characters (CR/LF) into response headers. This allows the attacker to split the response into multiple responses, potentially leading to:

  • Cache poisoning attacks

  • Cross-site scripting (XSS)

  • Page defacement

  • Response header manipulation

  • Session hijacking

This guide covers HTTP Response Splitting attacks, examples, prevention methods, and how to protect your applications using real-world techniques.

One Simple HTTP Response Splitting Attack Example

Consider this example of setting a cookie with user input:

response.setHeader("Location", userInput + "/index.html");

An attacker could provide this input:

/page.html\r\nSet-Cookie: sessionId=hijacked

The resulting response headers become:

Location: /page.html Set-Cookie: sessionId=hijacked

This allows the attacker to inject their own response headers, potentially hijacking user sessions or performing other malicious actions.

HTTP Response Splitting Prevention Methods: How to Fix Your Code

The most effective way to fix HTTP Response Splitting is to properly validate and sanitize any user input that goes into response headers. This includes removing or encoding CR/LF characters and validating the input against an allowlist of acceptable values.

Code Samples

Vulnerable Code

String userInput = request.getParameter("page");
response.setHeader("Location", );

Fixed Code

String userInput = request.getParameter("page");
String sanitizedInput = userInput.replaceAll("[\r\n]", "");
response.setHeader("Location", sanitizedInput + "/index.html");

Fix Explanation

The vulnerable code directly includes user input in response headers. The fix removes all CR/LF characters from the input using replaceAll(). This prevents attackers from splitting the response with injected newlines.

Vulnerable Code

user_input = request.args.get('redirect')
response.headers['Location'] = user_input + '/index.html'

Fixed Code

import re
user_input = request.args.get('redirect')
sanitized_input = re.sub(r'[\r\n]', '', user_input)
response.headers['Location'] = sanitized_input + '/index.html'

Fix Explanation

The vulnerable code directly uses user input in response headers. The fix uses regex to remove all CR/LF characters from the input. The sanitized input is safe to use in response headers.

Vulnerable Code

string userInput = Request.QueryString["redirect"];
Response.AddHeader("Location", userInput + "/index.html");

Fixed Code

string userInput = Request.QueryString["redirect"];
string sanitizedInput = Regex.Replace(userInput, @"[\r\n]", "");
Response.AddHeader("Location", sanitizedInput + "/index.html");

Fix Explanation

The vulnerable code includes raw user input in response headers. The fix uses Regex.Replace to remove CR/LF characters. The sanitized input prevents response splitting attacks.

Vulnerable Code

$userInput = $_GET['redirect'];
header("Location: " . $userInput . "/index.html");

Fixed Code

$userInput = $_GET['redirect'];
$sanitizedInput = str_replace(array("\r", "\n"), "", $userInput);
header("Location: " . $sanitizedInput . "/index.html");

Fix Explanation

The vulnerable code directly concatenates user input into headers. The fix removes CR/LF characters using str_replace. The sanitized input is safe for use in HTTP headers.

Vulnerable Code

const userInput = req.query.redirect;
res.setHeader('Location', userInput + '/index.html');

Fixed Code

const userInput = req.query.redirect;
const sanitizedInput = userInput.replace(/[\r\n]/g, '');
res.setHeader('Location', sanitizedInput + '/index.html');

Fix Explanation

The vulnerable code uses unvalidated user input in headers. The fix removes CR/LF characters using regular expressions. The sanitized input prevents response splitting attacks.

Need more help in preventing HTTP Response Splitting?

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousHardcoded SecretsNextInsecure Cookie Vulnerabilities

Last updated 2 months ago

Was this helpful?

supports fixing many forms of HTTP Response Splitting vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

Mobb
app.mobb.ai
Book a meeting
Contact us