Weakness reference
CWE-113

HTTP Response Splitting

HTTP Response Splitting occurs when user-controlled input is inserted into HTTP response headers without removing or escaping carriage return and line feed…

01Summary

HTTP Response Splitting occurs when user-controlled input is inserted into HTTP response headers without removing or escaping carriage return and line feed characters (CRLF: \r\n). An attacker can use these characters to inject additional headers or even create entirely new HTTP responses, potentially leading to cache poisoning, session fixation, or content injection attacks.

02How It Happens

HTTP headers are separated by CRLF sequences. When an application constructs a response header using unsanitized user input, an attacker can embed their own CRLF characters to terminate the current header and inject new ones. For example, if a Location header or Set-Cookie header is built from query parameters or form data without validation, an attacker can inject a blank line followed by arbitrary content, which the HTTP parser interprets as the start of a new response body. This is particularly dangerous in scenarios involving HTTP caching, where a poisoned response may be stored and served to other users.

03Real-World Impact

An attacker exploiting this weakness can inject malicious headers (such as Set-Cookie to hijack sessions), redirect users to phishing sites, or inject HTML/JavaScript into the response body to perform cross-site scripting attacks. In cached environments, a single poisoned response can affect multiple users. The vulnerability can also be chained with other attacks to achieve session fixation or credential theft.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from flask import Flask, request, make_response

app = Flask(__name__)

@app.route('/redirect')
def redirect_user():
    redirect_url = request.args.get('url')
    response = make_response()
    response.headers['Location'] = redirect_url
    return response, 302

Why it's vulnerable:
The redirect_url parameter is placed directly into the Location header without sanitizing CRLF characters. An attacker can inject \r\n to add arbitrary headers or split the response.

Fixed pattern
from flask import Flask, request, make_response
import re

app = Flask(__name__)

@app.route('/redirect')
def redirect_user():
    redirect_url = request.args.get('url', '')
    # Remove any CRLF characters
    redirect_url = re.sub(r'[\r\n]', '', redirect_url)
    response = make_response()
    response.headers['Location'] = redirect_url
    return response, 302
Vulnerable pattern
<?php
$username = $_GET['user'];
header('Set-Cookie: username=' . $username);
?>

Why it's vulnerable:
The $username parameter is directly embedded in the header without stripping CRLF sequences. An attacker can inject \r\n to add new headers or split the response.

Fixed pattern
<?php
$username = $_GET['user'];
// Remove CRLF characters
$username = str_replace(["\r", "\n"], '', $username);
header('Set-Cookie: username=' . $username);
?>

05Prevention Checklist

Validate and sanitize all user input
before placing it into HTTP headers; remove or reject any CRLF characters (\r, \n, or %0d, %0a in URL-encoded form).
Use framework-provided header functions
that automatically sanitize input (e.g., Flask's redirect(), Django's HttpResponseRedirect(), or WordPress's wp_safe_remote_*() functions).
Allowlist acceptable values
for headers like Location or Set-Cookie — if a redirect URL must come from user input, validate it against a whitelist of safe domains.
Avoid constructing headers manually
with string concatenation; use built-in APIs that handle encoding and validation.
Test with CRLF payloads
in your security testing — include %0d%0a and literal newlines in parameter fuzzing.

06Signs You May Already Be Affected

Look for unexpected headers in HTTP responses, particularly Set-Cookie or Location headers that contain unusual characters or multiple values. Check web server logs for requests containing encoded CRLF sequences (%0d%0a, %0a, %0d) in parameters. If you notice users reporting unexpected redirects or cookie-related session issues, investigate whether response headers are being manipulated.

07Related Recent Vulnerabilities