HTTP Response Splitting Cheat Sheet

By RSnake

Note from the author: HTTP Response Splitting is probably a misnomer for what this page describes as it both shows HTTP Response splitting and HTTP header injection. If you don't know what this is, this page probably won't help you. This is a collection of valid examples that have worked in varying real world examples and is designed to show as much. Places to inject this are headers (of course) and places that will show up in headers. These include variables that will end up in Cookies, Location headers, MIME Encoding types, Expect headers, etc...

If you have an RSS reader feel free to subscribe to the Web Application Security RSS feed below, or join the forum:

Web Application Security RSS feed

HTTP Response Splitting
    Response Splitting This is the most common form of response splitting and is fully RFC compliant. This is based off the research done by Amit Klein:

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

HTTP Header Splitting
    Cookie Injection if you need to inject a cookie for session fixation or maybe the cookie will be replayed on another page elsewhere and decoded to inject your XSS vector.

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

    Improper MIME types This is an example where the server wouldn't allow a forward slash as it was only designed to redirect to another page on the same server. To get around this since the normal MIME type was in text/plain we had to improvise. This is not RFC 2616 (sec 3.7 or 4.2 for the lack of a space) compliant but Gecko doesn't care:

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

    URL Required This is an example where the 301/302/307 redirection required that a URL was in the string, but we don't want to put it first or that will cause the redirection:

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

    URL Required 2 Combining the above two examples except the server required the first first slash was preceded by "http:" (I've seen this type of logic a few times in the wild).

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

    Expect Prior to Apache (versions 1.3.35, 2.0.58, and 2.2.2) fixing this issue, injecting Expect headers into the server would cause it to error out and pop up your vulnerability:

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

    Expect Flash Header Spoofing Amit Klein found that you can spoof headers in flash and cause the above example to be forced from any webpage under your control as long as the server is vulnerable to it:

    Browser support: [IE6.0|NS8.1-IE] [NS8.1-G|FF1.5] [O8.54]

Character Encoding Calculator


Hex Value:

    HTML (with semicolons):

Decimal Value:
    HTML (without semicolons):

Base64 Value

IP Obfuscation Calculator

IP Address:
    : dword level
Dword Address:
Hex Address:
Octal Address:

Browser support reference table:

IE6.0 Vector works in Internet Explorer. Most recently tested with Internet Explorer, SP2 on Windows 2000.
NS8.1-IE Vector works in Netscape 8.1+ in IE rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional. This used to be called trusted mode, but Netscape has changed it's security model away from the trusted/untrusted model and has opted towards Gecko as a default and IE as an option.
NS8.1-G Vector works in Netscape 8.1+ in the Gecko rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional
FF1.5 Vector works in Mozilla's Gecko rendering engine, used by Firefox. Most recently tested with Firefox on Windows XP Professional.
O8.54 Vector works in Opera. Most recently tested with Opera 8.54, Build 7722 on Windows XP Professional
NS4 Vector works in older versions of Netscape 4.0 - untested.

Note: if a vector is not marked it either does not work or it is untested.

Written in vim, and UTF-8 encoded, for her pleasure.
All rights reserved, all wrongs observed.
© 2001-2014 RSnake