Tim’s Weblog Tim's Weblog
Tim Strehle’s links and thoughts on Web apps, managing software development and Digital Asset Management, since 2002.
2005-04-17

HTTP response splitting

Diabolic Crab - HTTP response splitting:

"These kind of attacks are generally carried out in web applications by injecting malicious or unexpected charecters in user input which is then used for a 302 Redirect, in the Location or Set-Cookie header. [...] To avoid such HTTP Splitting vulnerabilities parse all user input for CR LF rn %0d%0a or any other forms of encoding these or other such malicious charecters before using them in any form of HTTP headers."

Sun, 17 Apr 2005 21:22:14 +0000