HTTP Response Injection involves the attacker being able to inject special Carriage Return (ASCII 0x0D) Line Feed (ASCII 0x0A), or CRLF sequence inside the response headers. The CRLF sequence, per the RFC 2616 standard, is the delimiter that separates headers from each other. If attackers are able to inject these particular characters, they will be able to perform XSS, cache poisoning, and so forth.

The most common place where these types of vulnerabilities occur, is when you have redirection scripts that take a URL as input and generate the appropriate headers to transfer the user to the specified resource. The following PHP script illustrates this functionality:

If we name this script redirector.php and call it as redirector.php?redirect=http%3A//www.google.com, the server generates a response similar to the following:

HTTP/1.1 302 FoundDate: Mon, 02 Apr 2007 13:38:10 GMTServer: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2mod_bwlimited/1.4 PHP/4.4.3 mod_ssl/2.8.28 OpenSSL/0.9.7aX-Powered-By: PHP/4.4.3Location: http://www.google.comContent-Type: text/htmlContent-Length: 0

However, because the developer did not sanitize the redirect field, attackers can easily split the request using the following:

redirector.php?redirect=%0d%0a%0d%0a

Notice the hex character sequence at the beginning of the redirect value. As we outlined earlier %0d (i.e., 0x0d) is the CR and %0a (i.e. 0x0a) is the LF. We provide two CRLF sequences so we end up with two additional lines in our header. In addition, we encoded the XSS string as hex characters and used the String.fromCharCode function to convert the hex values to ASCII. This avoids any server side striping/filtering of quotes. The...