During a recent security assessment I’ve noticed a situation where the user input is directly inserting into the response headers. It is obviously suspicious as the input is directly reflecting in the response. Cross site scripting attack doest not work here as the input is reflecting in the response headers not in the body. Tried response splitting attack, it did not work too as the application is validating the CR LF characters. Location header got inserted perfectly but the browser didn’t redirect the user to a new location as the response code is 200 ok. Browser automatically redirects the user only on 302 response code. So what we need here is an attribute to a Location header which would automatically redirect the browser to the specified website. Thinking for a while gave me an idea of using meta refresh tags. Meta refresh tag works similar to location header except that in refresh header we can specify the browser refresh time.
So inserting Refresh=0; url=http://www.example.com as the input, reflected in the response header and automatically redirected the user to a third party website www.example.com.
HTTP/1.1 200 OK
Refresh: 0; url=http://www.example.com