[WEB SECURITY] Classification of HTTP Response Splitting vulnerabilities

Tim tim-security at sentinelchicken.org
Mon Mar 21 13:04:52 EDT 2011

Hi MustLive,

> In my article Classification of HTTP Response Splitting vulnerabilities

HTTP Response Splitting isn't a vulnerability.  It is an attack.  The
vulnerability is HTTP header injection.  This is clear from your example:

> http://site/page?p=%0AHeader:value

You injected a header, you did not split the response into multiple
responses.  However, in the next example, you did do this:

> http://site/page?p=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(document.cookie)%3C/script%3E

Note that to be technically correct, you should be using %0d%0a as
your new lines.

HTTP header injection can occur in requests and responses and response
splitting is just one specific attack against one of those scenarios.
Note that injecting simple headers without splitting responses can
have a serious impact on security in specific scenarios.  I think it
is important to nail down correctly descriptive terminology so people
have an easier time understanding the core issue.


More information about the websecurity mailing list