attacker. The attacker, therefore, tricks the target into believing that a

particular resource on the web server (designated by the second

request) is the server's HTTP response (server content), while it is in

fact some data, which is forged by the attacker through the web

server   this is the second response.

HTTP Response Splitting attacks take place where the server script

embeds user data in HTTP response headers. This typically happens

when the script embeds user data in the redirection URL of a

redirection response (HTTP status code 3xx), or when the script

embeds user data in a cookie value or name when the response sets

a cookie.

In the first case, the redirection URL is part of the Location HTTP

response header, and in the second cookie setting case, the cookie

name/value is part of the Set Cookie HTTP response header.

The essence of the attack is injecting CRs and LFs in such manner

that a second HTTP message is formed where a single one was

planned for by the application. CRLF injection is a method used for

several other attacks which change the data of the single HTTP

response send by the application (e.g. [2]), but in this case, the role of

the CRLFs is slightly different   it is meant to terminate the first

(planned) HTTP response message, and form another (totally crafted

by the attacked, and totally unplanned by the application) HTTP

response message (hence the name of the attack).

This injection is possible if the application (that runs on top of the web

server) embeds un validated user data in a redirection, cookie

setting, or any other manner that eventually causes user data to

become part of the HTTP response headers.

With HTTP Response Splitting, it is possible to mount various kinds

of attacks:

   Cross site Scripting (XSS): Until now, it has been impossible to

mount XSS attacks on sites through a redirection script when

64

Copyright 2004, Web Application Security Consortium. All rights reserved.