HTTP Response Smuggling

Amit Klein shows that HTTP Response Splitting is still possible.

Recently, several anti- HTTP Response Splitting strategies has been suggested and/or put to use by various individuals and vendors. Apparently, those individuals and vendors did not subscribe to the somewhat strict approach recommended in [1], which is, to simply disallow CR and LF in data embedded in HTTP response headers. Rather, the recent anti-HTTP Response Splitting suggestions attempt to take a more granular approach. However, it seems that unfortunately, this approach is basically flawed, because it does not take into account variations and tolerance in the parsing of HTTP responses among proxy servers and clients.
This paper presents HTTP Response Smuggling – a way to evade those anti- HTTP response splitting strategies. HTTP Response Smuggling makes use of HTTP Request Smuggling -like techniques ([2]) to exploit the discrepancies between what an anti- HTTP Response Splitting mechanism would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser).

See the technical details at

Leave a Reply