Hello EH'ers,


Today would be time for a good question, so I thought: How common is the HTTP Response Splitting vulnerability?

Compared to XSS (Persistent and Non-Persistent), XSRF/CSRF, SQL Injection, LFI + RFI, RCE, etc.

I have seen a few WebAppSec courses implement it in their material, but I haven't encountered this vulnerability on a live website yet. The attack itself is interesting, but personally it feels like an attack which died a long time ago, before RFI suddenly got patched pretty well in most Web Applications.

So how common is HTTP Response Splitting vulnerabilities? What is your opinion? I'd like to know since I haven't really hunted for these bugs either, but also because I want to know if it's worth using time on trying to find during a real pentest (where the source code is not available), compared to the other vulnerabilities which are easier to detect, confirm and exploit?


~ MaXe

Hi manoj,


Yes, but it has probably been the only vulnerability of its kind I've seen last year, that was worth reporting too. (I have absolutely no affiliation with this exploit.)


Yes they're the same, every vulnerability tracker calls things different names for some funny reason. Some sites use what I would call, "whitehat words" while others like exploit-db uses "blackhat words", where the blackhat words doesn't mean it's illegal, it just means it makes sense, and you don't have to think about the meaning, at all.  Straight and simple as it should be.


Most servers has: GET, POST and HEAD enabled by default. HEAD is nice to check if e.g. a directory or file exists, as it will only return the response code and thereby, limit the stress on the webserver.

OPTIONS is enabled on most Apache servers, but occasionally on IIS servers it may not be. (It seems like it depends on the version, but also the company behind.)

TRACE is randomly enabled, and of course you can note it in a pentest report as a low risk but it's worth focusing more on other issues such as SQL Injection, Persistent / Stored XSS, RFI, LFI, etc.