<?php
setcookie('test', "test\r\n<script>alert(1)</script>");
echo 1;
But it turns out PHP automatically does the encoding:
Set-Cookie: test=test%0D%0A%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Does that mean it's impossible to reproduce HTTP response splitting in PHP?
A response splitting attack is possible only if there is a proxy server which multiple users use to connect to various websites. The cache of the proxy server is poisoned and the user becomes a victim whenever the proxy cache serves that page.
HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.
From the linked Wikipedia article:
[...] Although response splitting is not specific to PHP, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2. [1]
header
and setcookie
contain mitigations against response/header splitting. It's not possible.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With