HTTP Response Splitting occurs when user-controlled input is inserted into HTTP response headers without removing or escaping carriage return and line feed…
HTTP Response Splitting occurs when user-controlled input is inserted into HTTP response headers without removing or escaping carriage return and line feed characters (CRLF: \r\n). An attacker can use these characters to inject additional headers or even create entirely new HTTP responses, potentially leading to cache poisoning, session fixation, or content injection attacks.
02How It Happens
HTTP headers are separated by CRLF sequences. When an application constructs a response header using unsanitized user input, an attacker can embed their own CRLF characters to terminate the current header and inject new ones. For example, if a Location header or Set-Cookie header is built from query parameters or form data without validation, an attacker can inject a blank line followed by arbitrary content, which the HTTP parser interprets as the start of a new response body. This is particularly dangerous in scenarios involving HTTP caching, where a poisoned response may be stored and served to other users.
03Real-World Impact
An attacker exploiting this weakness can inject malicious headers (such as Set-Cookie to hijack sessions), redirect users to phishing sites, or inject HTML/JavaScript into the response body to perform cross-site scripting attacks. In cached environments, a single poisoned response can affect multiple users. The vulnerability can also be chained with other attacks to achieve session fixation or credential theft.
Why it's vulnerable: The redirect_url parameter is placed directly into the Location header without sanitizing CRLF characters. An attacker can inject \r\n to add arbitrary headers or split the response.
Why it's vulnerable: The $username parameter is directly embedded in the header without stripping CRLF sequences. An attacker can inject \r\n to add new headers or split the response.
Validate and sanitize all user input before placing it into HTTP headers; remove or reject any CRLF characters (\r, \n, or %0d, %0a in URL-encoded form).
Use framework-provided header functions that automatically sanitize input (e.g., Flask's redirect(), Django's HttpResponseRedirect(), or WordPress's wp_safe_remote_*() functions).
Allowlist acceptable values for headers like Location or Set-Cookie — if a redirect URL must come from user input, validate it against a whitelist of safe domains.
Avoid constructing headers manually with string concatenation; use built-in APIs that handle encoding and validation.
Test with CRLF payloads in your security testing — include %0d%0a and literal newlines in parameter fuzzing.
06Signs You May Already Be Affected
Look for unexpected headers in HTTP responses, particularly Set-Cookie or Location headers that contain unusual characters or multiple values. Check web server logs for requests containing encoded CRLF sequences (%0d%0a, %0a, %0d) in parameters. If you notice users reporting unexpected redirects or cookie-related session issues, investigate whether response headers are being manipulated.