HTTP response splitting is a type of injection attack that can lead to Cross-site Scripting (XSS) and web cache poisoning.

CRLF refers to the Carriage Return and Line Feed sequence of special characters. In the HTTP protocol, the CRLF sequence is always used to terminate a line. Therefore, if a malicious user is able to inject their own CRLF sequence into an HTTP stream, they gain control over the contents of the HTTP response.

Since CRLF characters can be used to split an HTTP response header, it is often also referred to as CRLF injection.

Validate input and remove CRLF character sequences before embedding data into any HTTP response headers.

• HTTP Response Splitting
• CWE-113: HTTP Response Splitting