Fix ASP.NET Response Splitting

G5 Cyber Security

2 months ago

TL;DR

An HTTP response splitting attack lets attackers inject malicious content into web responses by manipulating data sent to the server. This guide shows you how to protect your ASP.NET applications.

What is an HTTP Response Splitting Attack?

Imagine a website takes some text you type and includes it in its reply (the ‘response’). If the website doesn’t handle that text carefully, an attacker could sneak extra instructions into the response, like telling your browser to display a fake login box. This is HTTP Response Splitting.

How to Fix It

Understand Where User Input Goes

Identify all places in your ASP.NET code where user-supplied data (from forms, query strings, cookies etc.) is used directly in the Response object. This includes:

Response.Write()
Response.Redirect()
Setting headers using Response.Headers[...]
Using Server.Transfer() or similar methods that affect the response.

Encode Output Properly

The key is to make sure any user input included in the response is treated as *data*, not as instructions. Use ASP.NET’s built-in encoding methods.

HttpUtility.HtmlEncode(): This is your main tool! It converts characters like <, >, and newlines into their safe HTML equivalents.

string userInput = Request.QueryString["name"];
string encodedInput = HttpUtility.HtmlEncode(userInput);
Response.Write("Hello, " + encodedInput); // Safe!

For URLs in Redirects: Use HttpUtility.UrlEncode() to encode the URL parameters.

string redirectURL = Request.QueryString["url"];
string encodedURL = HttpUtility.UrlEncode(redirectURL);
Response.Redirect("/somepage?url=" + encodedURL); // Safe!

Avoid Direct Header Manipulation

Directly setting response headers with user input is very risky. If possible, avoid it altogether.

If you *must* set a header based on user input, encode the value using HttpUtility.HtmlEncode() before adding it to the header.

string customHeaderValue = Request.QueryString["headerValue"];
string encodedHeaderValue = HttpUtility.HtmlEncode(customHeaderValue);
Response.Headers["X-Custom-Header"] = encodedHeaderValue; // Still risky, but better

Use Safe Methods Where Available

Some ASP.NET methods are designed to be safer.

Server.Execute(): Can be safer than Server.Transfer() if used correctly, but still requires careful input validation and encoding.
Model Binding & Data Validation: If you’re using ASP.NET MVC or Web API, use model binding with data annotations to validate user input *before* it reaches your code. This isn’t direct response splitting prevention, but reduces the chance of bad data getting in.

Content Security Policy (CSP)

While not a fix for the vulnerability itself, CSP can help mitigate the impact if an attack succeeds by controlling what resources the browser is allowed to load.

Add a Content-Security-Policy header to your responses. This is more advanced and requires careful configuration.

Testing

Always test your application after making changes!

Try injecting common splitting characters (%0a, %0d, <br/>) into input fields and see if they appear in the response as intended.
Use a web security scanner to automatically identify potential vulnerabilities.