LD SoftwareBespoke Software, Web Design, Security Consultants and Host Services.


You have been warned!
We have caught 5852 shameful hackers.


Paypal Referral
Sign up for PayPal and start accepting credit card payments instantly.

Link Exchange
Join our free link exchange

Click Here
HTTP response splitting

Web Design & Development Guide

HTTP response splitting

Home | Up

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, Web cache poisoning, and similar exploits.

The attack consists of making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses (hence the name).


Code at risk

In its simplest form consider a PHP redirect on page redir.php:

 header("Location: http://example.tld/goto.php?id=" . $_GET['id']  );

This adds a Location header to the HTTP response. $_GET['id'] is replaced with the "id" field from the query string, so a request like:


will include "send_me_here" in the response:

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=send_me_here
Timeout: something
Content-Type: text/html

The attack

An attacker may want to change the cookie a target is given for a website, possibly as part of a session fixation attack. This can be done by including the following header:

Set-Cookie: some=value

The attacker can send their target to the following URL:


The id field, "%0d%0aSet-Cookie%3A+some%3Dvalue", will be decoded to produce CRLF "Set-Cookie: some=value". This string is then appended to the Location header:

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=
Set-Cookie: some=value
Timeout: something
Content-Type: text/html


The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.

The example's code could be protected from this attack by sanitizing $_GET['id']. Typical examples of sanitization include casting to integer, or aggressive regular expression replacement. It is worth noting that although this is not a PHP specific problem, the PHP interpreter contains protection against this attack since version 4.4.2 and 5.1.2 [1].

[1] http://php.net/changelog

External links

Home | Up | Browser exploit | Cross-site cooking | Cross-site request forgery | Cross-site scripting | Cross-zone scripting | Directory traversal | Evil twin (wireless networks) | HTTP response splitting | IDN homograph attack | Referer spoofing | Session fixation | Session poisoning | Website spoofing

Web Design & Development Guide, made by MultiMedia | Websites for sale

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.


Text Ads
There isn't content right now for this block.

Community Login


People Online:
Visitors: 185
Members: 1
Total: 186

Online Now:
01 : Monty

Like my code
Then please make a donation.

Which help me produce more free code.

Paypal Verified


Powered by PHP-Nuke

Valid CSS!

Valid Robots.txt

Bad Behavior

[Valid RSS]

[Valid RSS]
You can syndicate our News with backend.php And our Forums with rss.php
You can also access our feeds via Feedburner Site News and LD Software Forums
© 2009 ld-software.co.uk All Rights Reserved.
PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.46 Seconds