While playing with a redirection issue on a pretty major website I found a pretty weird HTTP response splitting issue, where forward slashes were not allowed (or rather, once you entered a forward slash it caused the whole redirection to be removed). Clearly the website was trying to protect itself from something, although I’m not exactly sure how or why. Here’s what I ended up doing.
Normally it would just do something like Location: http://somesite.com/ where whatever you typed in the URL field would end up in the Location header. Pretty typical response splitting I’d think, except I can’t inject a slash, so ending HTML tags are out (shouldn’t be a problem) but now I can’t get it from plaintext format into HTML making any HTML injection pointless.
So I ended up shortening the response splitting by instead of typing in Content-Type: text/html I just put in Content-Type: html (I removed “text/” which isn’t important to the attack. So it ended up looking like:
I can’t help but think there are nearly as many variants of response splitting as there are traditional XSS attacks. Just another reason not to have open redirection on your site.