In the financial hub of Charlotte, North Carolina, ethical hacker Raj Patel is contracted by...

The described behavior strongly matches HTTP Response Splitting. This vulnerability occurs when an application includes unsanitized user input in HTTP response headers. By injecting carriage return and line feed characters (CRLF), an attacker can “split” the server’s response into multiple parts—causing additional headers to appear or injecting unintended body content. The scenario explicitly says Raj’s payloads cause “additional headers to appear” and “inject unintended content into the output,” which is the classic outcome of response splitting.

Why this matters: response splitting can enable attacks such as web cache poisoning, cookie manipulation, redirection, and cross-site scripting-like impacts through header/body injection. For example, if an attacker can inject a Set-Cookie header, they may set or overwrite cookies in the victim’s browser. If they can inject a Location header, they may force redirects. If they inject content into the body, they may deliver malicious scripts or alter page behavior—especially when combined with caching intermediaries. The vulnerability typically arises in features that reflect user input into headers such as Location, Set-Cookie, Content-Disposition, or custom headers.

The other options do not match the symptoms:

XML Poisoning (B) and XXE (C) relate to XML parsing and entity resolution; they do not directly cause added HTTP headers in responses.

SSRF (D) involves forcing the server to make outbound requests to internal/external resources; it may expose data but does not primarily manifest as injected response headers and altered response structure.

Therefore, Raj is most likely exploiting A. HTTP Response Splitting.