HTTP response splitting

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.
The attack consists of making the server print a carriage return line feed sequence followed by content supplied by the attacker in the HTTP headers|header] section of its response, typically by including them in input fields sent to the application. Per the HTTP standard, headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.

Prevention

The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.
Typical examples of sanitization include casting to integers or aggressive regular expression replacement. Most modern server-side scripting languages and runtimes, like PHP since version 5.1.2 and Node.js since 4.6.0 as well as Web frameworks, such as Django since version 1.8.4 support sanitization of HTTP responses against this type of vulnerability.