HTTP Response Splitting
What is HTTP Response Splitting?
HTTP Response SplittingAn injection vulnerability where untrusted CR/LF characters in user input force the server to emit additional, attacker-controlled HTTP responses.
HTTP response splitting (CRLF injection) occurs when an application reflects user input into response headers — typically Location, Set-Cookie, or custom headers — without filtering carriage-return and line-feed bytes. By injecting %0d%0a, the attacker terminates the original header block and inserts headers, status lines, or even a whole second response. Consequences include cache poisoning, cross-site scripting, session fixation, and credential disclosure to intermediaries. The classic CWE-113 and CVE-2004-0500 disclosures highlighted the impact. Mitigations: reject or escape CR/LF in header values, use frameworks that disallow newline injection in header APIs, and prefer redirect helpers that URL-encode their inputs.
● Examples
- 01
Setting a Location header from a user parameter that contains %0d%0a to inject Set-Cookie.
- 02
Splitting a response so the cache stores an attacker-controlled body for /home.
● Frequently asked questions
What is HTTP Response Splitting?
An injection vulnerability where untrusted CR/LF characters in user input force the server to emit additional, attacker-controlled HTTP responses. It belongs to the Vulnerabilities category of cybersecurity.
What does HTTP Response Splitting mean?
An injection vulnerability where untrusted CR/LF characters in user input force the server to emit additional, attacker-controlled HTTP responses.
How do you defend against HTTP Response Splitting?
Defences for HTTP Response Splitting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HTTP Response Splitting?
Common alternative names include: CRLF injection in HTTP, HTTP header injection.