HTTP Response Splitting

Description

HTTP response splitting is the result of the failure of a web application to properly sanitize CR (ASCII 0x0D) and LF (ASCII 0x0A) character in HTTP headers. Per the HTTP standard (RFC 2616) headers are separated by one CRLF and the response’s headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses. ^Wikipedia

Recommendation

The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie. ^Wikipedia

References

• OWASP: HTTP Response Splitting
• CWE-113
• OWASP 2013-A1
• OWASP 2007-A2
• OWASP 2021-A3
• CWE-20