Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
HTTP response splitting
open-in-new
<h2 id="prevention">Prevention</h2> <p>The generic solution is to <a href="/facts/Percent-encoding/zprLw5se">URL-encode</a> strings before inclusion into <a href="/facts/List_of_HTTP_headers/hEkcQe2f">HTTP headers</a> such as <i>Location</i> or <i>Set-Cookie</i>. </p><p>Typical examples of sanitization include <a href="/facts/Type_conversion/FuPD945T">casting</a> to <a href="/facts/Integer/PUwwrawx">integers</a> or aggressive <a href="/facts/Regular_expression/KFL3veHX">regular expression</a> replacement. Most modern server-side scripting languages and runtimes, like <a href="/facts/PHP/vU6YRJX0">PHP</a> since version 5.1.2<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a> and <a href="/facts/Node.js/FKzhV4Qa">Node.js</a> since 4.6.0 (previous versions supported it, but the protection could've been bypassed, which was discovered in 2016)<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> as well as <a href="/facts/Web_framework/8f1CVHDX">Web frameworks</a>, such as <a href="/facts/Django_(web_framework)/TjPPmvSg">Django</a> since version 1.8.4<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> support sanitization of HTTP responses against this type of vulnerability. </p> <h2 id="external-links">External links</h2> <ul><li><a href="https://dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf">Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. Amit Klein, 2004.</a></li> <li><a href="http://www.webappsec.org/projects/threat/classes/http_response_splitting.shtml">HTTP Response Splitting, The Web Application Security Consortium</a></li> <li><a href="http://wapiti.sf.net">Wapiti Open Source XSS, Header, SQL and LDAP injection scanner</a></li> <li><a href="https://lwn.net/Articles/303445/">LWN article</a></li> <li><a href="//cwe.mitre.org/data/definitions/113.html">CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')</a></li> <li><a href="https://owasp.org/www-community/attacks/HTTP_Response_Splitting">HTTP Response Splitting Attack - OWASP</a></li> <li><a href="https://owasp.org/www-community/vulnerabilities/CRLF_Injection">CRLF Injection - OWASP</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"PHP: PHP 5.1.2. Release Announcement". The PHP Group. Retrieved 2014-11-13. <a href="//php.net/releases/5_1_2.php" target="_blank">//php.net/releases/5_1_2.php</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"CVE-2016-5325 | Snyk Vulnerability Database". Learn more about debian:9 with Snyk Open Source Vulnerability Database. Retrieved 2024-01-16. <a href="https://security.snyk.io/" target="_blank">https://security.snyk.io/</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"CVE-2015-5144 | Snyk Vulnerability Database". Learn more about pip with Snyk Open Source Vulnerability Database. Retrieved 2024-01-16. <a href="https://security.snyk.io/" target="_blank">https://security.snyk.io/</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> </ol>