New to CAPEC? Start Here
Home > CAPEC List > CAPEC-34: HTTP Response Splitting (Version 3.5)  

CAPEC-34: HTTP Response Splitting

Attack Pattern ID: 34
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.220Client-Server Protocol Manipulation
PeerOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.105HTTP Request Splitting
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Spider: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links, the forms and all potential user-controllable input points for the web application.

    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL, forms found in the pages (like file upload, etc.).
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
  1. Attempt variations on input parameters: The adversary injects the entry points identified in the Explore Phase with response splitting syntax and variations of payloads to be acted on in the additional response. They record all the responses from the server that include unmodified versions of their payload.

    Use CR\LF characters (encoded or not) in the payloads in order to see if the HTTP header can be split.
    Use a proxy tool to record the HTTP responses headers.
  1. Cross-Site Scripting: As the adversary succeeds in exploiting the vulnerability, they can choose to attack the user with Cross-Site Scripting. The possible outcomes of such an attack are described in the Cross-Site Scripting related attack patterns.

    Inject cross-site scripting payload preceded by response splitting syntax (CR/LF) into user-controllable input identified as vulnerable in the Experiment Phase.
  2. Cache poisoning: The adversary decides to target the cache server by forging new responses. The server will then cache the second request and response. The cached response has most likely an attack vector like Cross-Site Scripting; this attack will then be serve to many clients due to the caching system.

    The adversary decides to target the cache server by forging new responses. The server will then cache the second request and response. The cached response has most likely an attack vector like Cross-Site Scripting; this attack will then be serve to many clients due to the caching system.
+ Prerequisites
User-controlled input used as part of HTTP header
Ability of adversary to inject custom strings in HTTP header
Insufficient input validation in application to check for input sanity before using it as part of response header
+ Skills Required
[Level: High]
The adversary needs to have a solid understanding of the HTTP protocol and HTTP headers and must be able to craft and inject requests to elicit the split responses.
+ Resources Required
None: No specialized resources are required to execute this type of attack.
+ Indicators
The only indicators are multiple responses to a single request in the web logs. However, this is difficult to notice in the absence of an application filter proxy or a log analyzer. There are no indicators for the client
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Execute Unauthorized Commands
Access Control
Gain Privileges
+ Mitigations
To avoid HTTP Response Splitting, the application must not rely on user-controllable input to form part of its output response stream. Specifically, response splitting occurs due to injection of CR-LF sequences and additional headers. All data arriving from the user and being used as part of HTTP response headers must be subjected to strict validation that performs simple character-based as well as semantic filtering to strip it of malicious character sequences and headers.
+ Example Instances
In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive. See also: CVE-2006-0207
+ Taxonomy Mappings
Relevant to the WASC taxonomy mapping
Entry IDEntry Name
25HTTP Response Splitting

Relevant to the OWASP taxonomy mapping
Entry Name
HTTP Response Splitting
+ References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Payload_Activation_Impact, Probing_Techniques, Related_Attack_Patterns, Resources_Required
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, References
2020-07-30CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2021-06-24CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020