EH-Net

Hello EH'ers,


Today would be time for a good question, so I thought: How common is the HTTP Response Splitting vulnerability?

Compared to XSS (Persistent and Non-Persistent), XSRF/CSRF, SQL Injection, LFI + RFI, RCE, etc.

I have seen a few WebAppSec courses implement it in their material, but I haven't encountered this vulnerability on a live website yet. The attack itself is interesting, but personally it feels like an attack which died a long time ago, before RFI suddenly got patched pretty well in most Web Applications.

So how common is HTTP Response Splitting vulnerabilities? What is your opinion? I'd like to know since I haven't really hunted for these bugs either, but also because I want to know if it's worth using time on trying to find during a real pentest (where the source code is not available), compared to the other vulnerabilities which are easier to detect, confirm and exploit?


~ MaXe

hi maxe,

After seeing your post i started to research about this vulnerability,

and i can say proudly to you

"IT IS STILL ALIVE"

As you have said you didn't seen this on a live web-site
here we go


it is a old one ,i am sure it has been patched now,but it is nice to see its presence.

Also go here

look at the 20 th one and they have mention about "HTTP Request Smuggling",it looks like similar to the attack type you had said

TBH as i am not a expert in this i would like to ask some questions on this ?

Does HTTP request smuggling and HTTP response splitting are the same one?

And reading your post and my recent interest about the http headers,methods and attacks related to that it made me curious to know in deep about the threats faced by a server when it enables methods like
HEAD,OPTIONS etc...

do you have any interesting documents to feed my toughts :) ?
if you have any please feed me,i'm hungry maxe :)

and it seems i touched a old dusty question , cough , cough :)

Hi manoj,


Yes, but it has probably been the only vulnerability of its kind I've seen last year, that was worth reporting too. (I have absolutely no affiliation with this exploit.)


Yes they're the same, every vulnerability tracker calls things different names for some funny reason. Some sites use what I would call, "whitehat words" while others like exploit-db uses "blackhat words", where the blackhat words doesn't mean it's illegal, it just means it makes sense, and you don't have to think about the meaning, at all.  ;D Straight and simple as it should be.


Most servers has: GET, POST and HEAD enabled by default. HEAD is nice to check if e.g. a directory or file exists, as it will only return the response code and thereby, limit the stress on the webserver.

OPTIONS is enabled on most Apache servers, but occasionally on IIS servers it may not be. (It seems like it depends on the version, but also the company behind.)

TRACE is randomly enabled, and of course you can note it in a pentest report as a low risk but it's worth focusing more on other issues such as SQL Injection, Persistent / Stored XSS, RFI, LFI, etc.