Hello

There is a application developed in asp/.net that was vulnerable to http split attacks. There was a input parameter sent in GET requests that was used as part of the location reader on the redirect. So, we just inserted a CRLF and we could create fake headers.

They mitigated the problem, but I'm unsure if it's really a good mitigation.

Now, it only prints on the location header until it reach a CR or LF character, so I'm unable to add more headers.

However, if I add two CRLF in sequence I see the next headers are sent and interpreted by the browser as HTML (body contents).

The input also filters <, >, ' and ".

Also, all data that I insert on this field always generate a redirect (302 HTTP code) to another webpage.

Inserting stuff like

foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent- Length:%2019%0d%0a%0d%0a<html>test</html>

Doesn't work, I always get again the redirected page. Probable because this supposed headers are never sent as headers because of the input filter, if I add two CRLF they turn in body contents and appear as text.

XSS could be possible, but unhappily the filters of <, >, ' and " prevent me to exploit it. I could set the utf-7 on header and send encoded contents, but again I can't manipulate the headers.

Any idea if exploitation is possible?