ASP.NET HTTP Response Splitting Attack

Question

By default ASP.NET checks for HTTP Response Splitting attack when you do Response.Redirect:

Response.Redirect("/MySite/Default.aspx?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d%0a<html>Shazam</html>");

Result - error page:

A potentially dangerous Request.QueryString value was detected from the client (lang="...th: 19

<html>Shazam</html>").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. 

Is there any other way to perform HTTP Response Splitting attack on default ASP.NET website configuration? What about ASP.NET MVC?

Answer 1

This is going to be an annoyingly trivial answer, BUT...

The only way to perform a Response Splitting attack on an updated ASP.NET (or MVC) server, is if the application itself is writing back raw HTTP responses.
Yes, of course no programmer in their right mind would do that... but in the case of the 60% of programmers that are not in their right mind, it is possible likely that such an implementation would be vulnerable.

Otherwise, no, the application is not vulnerable to HRS.