Por defecto, ASP.NET verifica si hay un ataque de división de respuesta HTTP cuando realiza Response.Redirect:
Response.Redirect("/MySite/Default.aspx?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d%0a<html>Shazam</html>");
Resultado - página de error:
A potentially dangerous Request.QueryString value was detected from the client (lang="...th: 19
<html>Shazam</html>").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
¿Hay alguna otra forma de realizar un ataque de división de respuesta HTTP en la configuración predeterminada del sitio web ASP.NET? ¿Qué pasa con ASP.NET MVC?