HTTP Response Splitting Attacks

Tools recognizing this:

Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is HTTP Response Splitting and How Does it Work?

HTTP Response Splitting is a web security vulnerability that occurs when an attacker can inject newline characters (CR/LF) into response headers. This allows the attacker to split the response into multiple responses, potentially leading to:

• Cache poisoning attacks

• Cross-site scripting (XSS)

• Page defacement

• Response header manipulation

• Session hijacking

This guide covers HTTP Response Splitting attacks, examples, prevention methods, and how to protect your applications using real-world techniques.

One Simple HTTP Response Splitting Attack Example

Consider this example of setting a cookie with user input:

response.setHeader("Location", userInput + "/index.html");

An attacker could provide this input:

/page.html\r\nSet-Cookie: sessionId=hijacked

The resulting response headers become:

Location: /page.html Set-Cookie: sessionId=hijacked

This allows the attacker to inject their own response headers, potentially hijacking user sessions or performing other malicious actions.

HTTP Response Splitting Prevention Methods: How to Fix Your Code

The most effective way to fix HTTP Response Splitting is to properly validate and sanitize any user input that goes into response headers. This includes removing or encoding CR/LF characters and validating the input against an allowlist of acceptable values.

Code Samples

String userInput = request.getParameter("page");
response.setHeader("Location", userInput + "/index.html");

String userInput = request.getParameter("page");
String sanitizedInput = userInput.replaceAll("[\r\n]", "");
response.setHeader("Location", sanitizedInput + "/index.html");

user_input = request.args.get('redirect')
response.headers['Location'] = user_input + '/index.html'

import re
user_input = request.args.get('redirect')
sanitized_input = re.sub(r'[\r\n]', '', user_input)
response.headers['Location'] = sanitized_input + '/index.html'

string userInput = Request.QueryString["redirect"];
Response.AddHeader("Location", userInput + "/index.html");

string userInput = Request.QueryString["redirect"];
string sanitizedInput = Regex.Replace(userInput, @"[\r\n]", "");
Response.AddHeader("Location", sanitizedInput + "/index.html");

$userInput = $_GET['redirect'];
header("Location: " . $userInput . "/index.html");

$userInput = $_GET['redirect'];
$sanitizedInput = str_replace(array("\r", "\n"), "", $userInput);
header("Location: " . $sanitizedInput . "/index.html");

const userInput = req.query.redirect;
res.setHeader('Location', userInput + '/index.html');

const userInput = req.query.redirect;
const sanitizedInput = userInput.replace(/[\r\n]/g, '');
res.setHeader('Location', sanitizedInput + '/index.html');

Need more help in preventing HTTP Response Splitting?

Mobb supports fixing many forms of HTTP Response Splitting vulnerabilities, and can mitigate your issues in batch.

Start now for free at app.mobb.ai

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

Book a meeting or Contact us if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai