HTTP header injection: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 11:50, 2 November 2017 edit Mitch Ames (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers 208,316 edits Remove supercategory of existing category per WP:SUBCAT using AWB ← Previous edit		Latest revision as of 10:05, 17 May 2025 edit undo Palmiped (talk \| contribs) Extended confirmed users, Rollbackers 13,047 edits avoid redirect Tag: Undo
(26 intermediate revisions by 18 users not shown)
Line 1: {{Short description\|Web application security vulnerability}} {{Citation style\|date=March 2024}} {{HTTP}} '''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] ([[HTTP]]) [[list of HTTP headers\|headers]] are dynamically generated based on user input. [[Header (computing)\|Header]] injection in HTTP responses can allow for [[HTTP response splitting]], [[~~Session~~session fixation]] via the Set-[[HTTP cookie\|Cookie]] header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. ~~HTTP~~[[XSS]] ~~header~~attacks ~~injection~~can isbe ablocked ~~relatively~~with ~~new~~the ~~area~~use ~~for~~of ~~web-based~~an ~~attacks,~~[[Browser ~~and~~extension\|extension]] ~~has~~such ~~primarily~~as ~~been~~[[NoScript]] ~~pioneered~~or byMalwarebytes ~~Amit~~Browser ~~Klein in his work~~Guard on ~~request/response smuggling/splitting.<ref>Linhart, Klein, Heled, and Orrin:~~your [~~http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf~~[Web ~~HTTP Request Smuggling~~browser\|browser]]~~, 2005, Watchfire Corporation~~. ~~Retrieved on 22 December 2015</ref>~~ == Sources == * [~~http~~https://~~lists~~dl.~~webappsec~~packetstormsecurity.~~org~~net/~~pipermail~~papers/~~websecurity_lists.webappsec.org/2008-April~~attack/~~003692~~Aspect_File_Download_Injection.~~html~~pdf File Download Injection] * [https://www.owasp.org/index.php/HTTP_Response_Splitting OWASP HTTP request Splitting] * [https://~~www.~~owasp.org/~~index.php~~www-project-web-security-testing-guide/~~Testing_for_HTTP_Splitting~~latest/~~Smuggling_%28OTG~~4-~~INPVAL~~Web_Application_Security_Testing/07-Input_Validation_Testing/15-~~016%29~~Testing_for_HTTP_Splitting_Smuggling OWASP Testing for HTTP Splitting/Smuggling] * [~~http~~https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/ HTTP Smuggling in 2015] * [https://noscript.net NoScript Official Website] == ~~Tools~~See also == * [[HTTP request smuggling]] * [http://wapiti.sf.net Wapiti Open Source Header, XSS, SQL and LDAP injection scanner] ==References==