This link describes my problem better: https://code.google.com/p/webgoat/issues/detail?id=42
I was doing the HTTP Splitting exercise in WebGoat. In this exercise, when you send a malformed URL, you are supposed to get TWO headers back. One header is the original header. The second header must be the attacker's malformed header.
But when I intercept the response, the server only sends back one header, which is not correct. Why is that ?
PS: I have completed the exercise and I understand the basics of this attack.