This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting

From OWASP
Jump to: navigation, search

Return to Periodic Table Working View

HTTP Response Splitting

Root Cause Summary

The application allows CRLF characters to be injected into HTTP response headers, which allows an attacker to inject a malicious response body in place of the intended response or force a redirect to a malicious resource.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

Encode all CRLF pairs in dynamic data before writing the data in the context of an HTTP response header. Prevent direct access to response headers by forcing all header write requests to use a safe API.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

Perimeter solutions for enforcing strict HTTP compliance are addressed by OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling.

Should String Be An Abstract Class (John Wilander)

References

HTTP Response Splitting
HTTP Response Splitting (WASC)