“HTTP Response Splitting” is a new application attack technique which enables
various new attacks such as web cache poisoning, cross user defacement, hijacking
pages with sensitive user information and an old favorite, cross-site scripting (XSS).
This attack technique, and the derived attacks from it, are relevant to most web
environments and is the result of the application’s failure to reject illegal user input, in
this case, input containing malicious or unexpected characters.
Cross user defacement
enables the attacker to forge a page that is sent to the victim. It can be looked at as a very localized and temporary kind of defacement, which affects one user at a time. Web cache poisoning
elevates that defacement into a permanent effect on a more global scope by forging a cached page in a cache server shared among a multitude of site users.Hijacking pages with sensitive user information
lets the attacker gain access to user specific information provided by the server such as health records or financial data.Cross-site scripting
enables the attacker to steal other client’s credentials that are then used in conjunction with the vulnerable site. HTTP response splitting, and the derived attacks, are relevant to most web environments including Microsoft ASP, ASP.NET, IBM WebSphere, BEA WebLogic, Jakarta Tomcat, Macromedia ColdFusion/MX, Sun Microsystems SunONE; popular cache
servers such as NetCache, Squid and Apache; and popular browsers such as Microsoft
The HTTP response splitting vulnerability is the result of the application’s failure to
reject illegal user input. Specifically, input containing malicious or unexpected CR
and LF characters.
This paper will describe the concept of the attack and provide some use cases. We
will include a description of the basic technique and practical considerations of
various aspects of the attack and some theoretic results in one case. Finally, we
comment on evidence of the vulnerability in the wild, some research byproducts,
recommendations, conclusions, related work and references. The full list of products
we experimented with is provided in the appendix.