HTTP header injection: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 20:29, 5 June 2008 edit Planetlevel (talk \| contribs) 20 edits No edit summary ← Previous edit		Latest revision as of 10:05, 17 May 2025 edit undo Palmiped (talk \| contribs) Extended confirmed users, Rollbackers 13,047 edits avoid redirect Tag: Undo
(67 intermediate revisions by 50 users not shown)
Line 1: {{Short description\|Web application security vulnerability}} {{Citation style\|date=March 2024}} {{HTTP}} '''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] ([[HTTP]]) [[list of HTTP headers\|headers]] are dynamically generated based on user input. [[Header (computing)\|Header]] injection in HTTP responses can allow for [[HTTP response splitting]], ~~and~~[[session fixation]] via the Set-[[HTTP cookie\|Cookie]] header, [[~~Cross~~cross-site scripting]] (XSS), and malicious redirect attacks. ~~HTTP~~via ~~header~~the ~~injection~~___location isheader. a[[XSS]] ~~relatively~~attacks ~~new~~can ~~area~~be ~~for~~blocked ~~web-based~~with ~~attacks,~~the ~~and~~use ~~has~~of ~~primarily~~an ~~been~~[[Browser ~~pioneered~~extension\|extension]] bysuch ~~Amit~~as ~~Klein~~[[NoScript]] inor ~~his~~Malwarebytes ~~work~~Browser Guard on ~~request/response~~your ~~smuggling/splitting~~[[Web browser\|browser]]. == Sources == * [https://dl.packetstormsecurity.net/papers/attack/Aspect_File_Download_Injection.pdf File Download Injection] * [https://www.owasp.org/index.php/HTTP_Response_Splitting OWASP HTTP request Splitting] * [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling OWASP Testing for HTTP Splitting/Smuggling] * [https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/ HTTP Smuggling in 2015] * [https://noscript.net NoScript Official Website] == See also == [http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html HTTP Response Smuggling] [[HTTP request smuggling]] [http://palisade.plynt.com/issues/2006Sep/http-request-smuggling/ HTTP Request Smuggling] [http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html File Download Injection] ==~~Useful Tools~~References== {{Reflist}} * [http://www.lucid-edge.com HTTP Sniffer and HTTP Analyzer (Proxy and tunnel based)] * [http://wapiti.sf.net Wapiti Open Source Header, XSS, SQL and LDAP injection scanner] [[Category:Web security exploits]] [[Category:~~HTTP~~Hypertext Transfer Protocol headers]] {{internet-stub}}▼ ▲{{~~internet~~Web-stub}} ~~[[de:Header-Injection]]~~