Webmaster Top
> Languages
Preferred language:
English German Polish
Main Menu


 Log in Problems?
 New User? Sign Up!

Web Host Center
HTTP response splitting

Web Design & Development Guide

HTTP response splitting


HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, Web cache poisoning, and similar exploits.

The attack consists of making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses (hence the name).


Code at risk

In its simplest form consider a PHP redirect on page redir.php:

 header("Location: http://example.tld/goto.php?id=" . $_GET['id']  );

This adds a Location header to the HTTP response. $_GET['id'] is replaced with the "id" field from the query string, so a request like:


will include "send_me_here" in the response:

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=send_me_here
Timeout: something
Content-Type: text/html

The attack

An attacker may want to change the cookie a target is given for a website, possibly as part of a session fixation attack. This can be done by including the following header:

Set-Cookie: some=value

The attacker can send their target to the following URL:


The id field, "%0d%0aSet-Cookie%3A+some%3Dvalue", will be decoded to produce CRLF "Set-Cookie: some=value". This string is then appended to the Location header:

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=
Set-Cookie: some=value
Timeout: something
Content-Type: text/html


The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.

The example's code could be protected from this attack by sanitizing $_GET['id']. Typical examples of sanitization include casting to integer, or aggressive regular expression replacement. It is worth noting that although this is not a PHP specific problem, the PHP interpreter contains protection against this attack since version 4.4.2 and 5.1.2 [1].

[1] http://php.net/changelog

External links

Browser exploit
Cross-site cooking
Cross-site request forgery
Cross-site scripting
Cross-zone scripting
Directory traversal
Evil twin (wireless networks)
HTTP response splitting
IDN homograph attack
Referer spoofing
Session fixation
Session poisoning
Website spoofing

§ Good Partners §

Buy and Sell text links


Web Development CSS DHTML Domains Google Yahoo Guide.