The Hacker Recipes
GitHubTwitterExegolTools
  • Introduction
  • Active Directory
    • Reconnaissance
      • DHCP
      • DNS
      • NBT-NS
      • Responder ⚙️
      • Port scanning
      • LDAP
      • BloodHound ⚙️
      • MS-RPC
      • enum4linux ⚙️
      • Password policy
    • Movement
      • Credentials
        • Dumping
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Group Policy Preferences
          • Network shares
          • Network protocols
          • Web browsers
          • In-memory secrets
          • Kerberos key list
          • 🛠️Cached Kerberos tickets
          • 🛠️Windows Credential Manager
          • 🛠️Local files
          • 🛠️Password managers
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
        • Impersonation
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
        • 🛠️Living off the land
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate
        • sAMAccountName spoofing
        • SPN-jacking
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Netlogon
        • ZeroLogon
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • SCCM / MECM
        • Privilege escalation
        • Post-exploitation
      • Exchange services
        • 🛠️PrivExchange
        • 🛠️ProxyLogon
        • 🛠️ProxyShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Schannel
        • Pass the Certificate
      • Built-ins & settings
        • Security groups
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • DC Shadow
      • SID History
      • Skeleton key
      • GoldenGMSA
      • AdminSDHolder
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • 🛠️DACL abuse
      • Shadow Principals (PAM)
  • Web services
    • Reconnaissance
      • HTTP response headers
      • Comments and metadata
      • Error messages
      • Site crawling
      • Directory fuzzing
      • Subdomains enumeration
      • Subdomain & vhost fuzzing
      • Web Application Firewall (WAF)
      • Content Management System (CMS)
      • Other technologies
      • Known vulnerabilities
    • Configuration
      • Default credentials
      • HTTP methods
      • HTTP security headers
        • Clickjacking
        • MIME type sniffing
        • 🛠️CORS (Cross-Origin Resource Sharing)
        • 🛠️CSP (Content Security Policy)
      • HTTP request smuggling
      • HTTP response splitting
      • Insecure Cookies
      • Denial of Service (DoS)
      • Identity and Access Management
        • 🛠️OAuth 2.0
    • Accounts and sessions
      • Security policies
      • Password change
      • 🛠️Password reset
      • Account creation
      • 🛠️Account deletion
      • 🛠️Logging in
    • User inputs
      • File inclusion
        • LFI to RCE
          • logs poisoning
          • phpinfo
          • file upload
          • PHP wrappers and streams
          • PHP session
          • /proc
        • RFI to RCE
      • Unrestricted file upload
      • SQL injection
      • XSS (Cross-Site Scripting)
      • CSRF (Cross-Site Request Forgery)
      • SSRF (Server-Side Request Forgery)
      • IDOR (Insecure Direct Object Reference)
      • ORED Open redirect
      • Content-Type juggling
      • XXE injection
      • Insecure JSON Web Tokens
      • 🛠️HTTP parameter pollution
      • 🛠️SSTI (Server-Side Template Injection)
      • 🛠️Insecure deserialization
      • 🛠️CRLF injection
      • 🛠️Arbitrary file download
      • 🛠️Directory traversal
      • 🛠️Null-byte injection
  • Systems & services
    • Reconnaissance
      • 🛠️Hosts discovery
      • Port scanning
    • Initial access (protocols)
      • 🛠️FTP
      • 🛠️SSH
      • 🛠️Telnet
      • 🛠️DNS
      • 🛠️HTTP
      • 🛠️Kerberos
      • 🛠️LDAP
      • 🛠️SMB
      • 🛠️RTSP
      • 🛠️MSSQL
      • 🛠️NFS
      • 🛠️MySQL
      • 🛠️RDP
      • 🛠️WinRM
    • Initial access (phishing)
    • Privilege escalation
      • Windows
        • 🛠️Credential dumping
        • 🛠️Unquoted path
        • 🛠️Scheduled tasks
        • 🛠️Weak service permissions
        • 🛠️Vulnerable drivers
        • 🛠️Account privileges
        • 🛠️Kernel exploitation
        • 🛠️Windows Subsystem for Linux
        • 🛠️Runas saved creds
        • Unattend files
        • 🛠️Network secrets
        • 🛠️Living off the land
      • UNIX-like
        • SUDO
        • SUID/SGID binaries
        • 🛠️Capabilities
        • 🛠️Network secrets
        • 🛠️Living off the land
    • Pivoting
      • 🛠️Port forwarding
      • 🛠️SOCKS proxy
  • Evasion
    • (AV) Anti-Virus
      • 🛠️Loader
      • 🛠️Dropper
      • 🛠️Obfuscation
      • 🛠️Process injection
      • 🛠️Stealth with C2
    • 🛠️(EDR) Endpoint Detection and Response
  • 🛠️Physical
    • Locks
    • Networking
      • Network Access Control
    • Machines
      • HID injection
      • Keylogging
      • BIOS security
      • Encryption
      • Airstrike attack
    • Super secret zones
      • 🍌Banana & chocolate cake
      • 🍳Omelette du fromage
      • 🍔Burger du seigneur
      • 🥞The Pancakes of Heaven
  • 🛠️Intelligence gathering
    • CYBINT
      • Emails
      • Web infrastructure
    • OSINT
    • GEOINT
  • 🛠️RADIO
    • RFID
      • Mifare Classic
        • Default keys
        • Darkside
        • Nested
    • Bluetooth
    • Wi-Fi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Wireless keyboard/mouse
  • 🛠️mobile apps
    • Android
      • Android Debug Bridge ⚙️
      • APK transform
      • Magisk
    • iOS
      • Certificate pinning
Powered by GitBook
On this page
  • Theory
  • Practice
  • Reflected XSS
  • Resources

Was this helpful?

  1. Web services
  2. Configuration

HTTP response splitting

Theory

The HTTP protocol uses CRLF sequences to end headers, lines and so on. When input vectors are reflected in the HTTP responses, if attackers can inject CRLF sequences, they can craft an arbitrary HTTP response. For example, this could lead to reflected XSS as the attackers would have the ability to inject arbitrary HTML content in the response.

Practice

Testers need to find input vectors that could be reflected in HTTP responses.

  • GET or POST parameters (like page, id, language, lang...)

  • Cookies

For example, in the following request line, the GET parameter page is not sanitized enough and a CRLF sequence (%0D%0A) can be injected.

GET /index.php?question=answer%0D%0AInjection:%20Pwned%0D%0A HTTP/1.1

The Injection header is then reflected in the HTTP response, right after the legitimate X-Custom-Question header.

HTTP/1.1 200 OK
[...]
X-Custom-Question: answer
Injection: Pwned
[...]

A CRLF injection vulnerable input vector can lead to HTTP response splitting that can in turn lead to

  • Reflected XSS

  • Redirection

  • Sensitive Information Disclosure

Headers are separated with the body by two CRLF sequences (%0D%0A%0D%0A).

Reflected XSS

The following payload injects two headers and a script tag in the body.

?language=fr%0D%0AContent-Length:%2040%0D%0AContent-Type:%20text/html%0D%0A%0D%0A<script>alert('XSS')</script>

Resources

PreviousHTTP request smugglingNextInsecure Cookies

Last updated 3 years ago

Was this helpful?

PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub
CRLF injection, HTTP response splitting, and HTTP header injection vulnerabilitiesnetsparker
Logo
Logo