[WEB SECURITY] CRLF Injection - HTTP Response Splitting

[Mon]

Hi all,

May be this a very stupid question, however, after many unsuccessful
attempts, I would appreciate your assistance.

In testing a web application, I found that on sending the following request
header:

GET /path/path-contd/resource.asp?key1=value1&key2=value2&key3=value3
HTTP/1.1
....


I got the the following response header:

HTTP/1.1 302 Found
Date: xxxx
Server: xxxx
Location: https://
<full-domain>/path/path-contd/resource.asp?https=redirect&key1=value1&key2=value2&key3=value3
....

I tried to inject "CRLF" (%0d%0a) in value3 to perform a HTTP Response
Splitting, however, the input was always output to the response header as
text and the injected CRLF (%0d%0a) was never executed. I tried:

1. double url encoding: %250d%250a
2. encoding the attack vector to unicode 16-bit
3. injecting %0d%0a (and double encoded value) in value1 instead
4. injecting %0d%0a (and double encoded value) in value2 instead

Am I missing something trivial or any other attack vector to bypass CRLF
Injection protection/filter? Is this the right approach? Or should I safely
assume that the application is performing proper URL sanitization?

Look forward to your replies. My apologies again in case my question is
naive.

Br,
m0n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120430/7f0a656f/attachment.html>