The Hacker Recipes
GitHubTwitterDonate
Search…
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
🛠️ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
🛠️ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
🛠️ SSTI (Server-Side Template Injection)
🛠️ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
🛠️ CRLF injection
HTTP response splitting
🛠️ Arbitrary file download
🛠️ Directory traversal
🛠️ Null-byte injection
🛠️ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ binary exploitation
Use-after-free
Buffer overflow
🛠️ mobile apps
Android
iOS
Powered By GitBook
HTTP response splitting

Theory

The HTTP protocol uses CRLF sequences to end headers, lines and so on. When input vectors are reflected in the HTTP responses, if attackers can inject CRLF sequences, they can craft an arbitrary HTTP response. For example, this could lead to reflected XSS as the attackers would have the ability to inject arbitrary HTML content in the response.

Practice

Testers need to find input vectors that could be reflected in HTTP responses.
  • GET or POST parameters (like page, id, language, lang...)
  • Cookies
For example, in the following request line, the GET parameter page is not sanitized enough and a CRLF sequence (%0D%0A) can be injected.
1
GET /index.php?question=answer%0D%0AInjection:%20Pwned%0D%0A HTTP/1.1
Copied!
The Injection header is then reflected in the HTTP response, right after the legitimate X-Custom-Question header.
1
HTTP/1.1 200 OK
2
[...]
3
X-Custom-Question: answer
4
Injection: Pwned
5
[...]
Copied!
A CRLF injection vulnerable input vector can lead to HTTP response splitting that can in turn lead to
  • Reflected XSS
  • Redirection
  • Sensitive Information Disclosure
Headers are separated with the body by two CRLF sequences (%0D%0A%0D%0A).

Reflected XSS

The following payload injects two headers and a script tag in the body.
1
?language=fr%0D%0AContent-Length:%2040%0D%0AContent-Type:%20text/html%0D%0A%0D%0A<script>alert('XSS')</script>
Copied!

Resources

CRLF injection, HTTP response splitting, and HTTP header injection vulnerabilities
netsparker
PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThings
GitHub
Previous
🛠️ CRLF injection
Next
🛠️ Arbitrary file download
Last modified 3mo ago
Copy link
Edit on GitHub
Contents
Theory
Practice
Reflected XSS
Resources