Which attack involves tricking the server by injecting new lines into response headers along with arbitrary code?

HTTP Response Splitting is when untrusted input is used to build HTTP response headers, and that input contains newline characters that terminate the header block. By injecting those newline sequences, an attacker can insert additional header lines or even begin the response body, effectively shaping two responses in one. This can lead to cache poisoning, header injection, and the browser interpreting injected content as part of the page, which may enable cross-site scripting or other attacks. The key idea is that headers must be constructed safely and without allowing user input to break the header structure. Mitigations include validating and encoding all input used in headers, rejecting CRLF sequences, and relying on safe header handling provided by frameworks or server configurations.