- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
HTTP Response Splitting allows an attacker to manipulate the response received by a web browser. The attacker can send a single HTTP request that forces the webserver to form an output stream, which is then interpreted by the target as two HTTP responses instead of one.
HTTP Response Splitting occurs when data enters a web application through an untrusted source, most frequently an HTTP request. The data is then included in an HTTP response header sent to a web user without being validated for malicious characters. At its root, the HTTP Response Splitting attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.
The attack consists of making the server print a carriage return(CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the header's attacker section of its response, typically by including them in input fields sent to the application. Failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more different responses—hence the name.