HTTP header injection: Difference between revisions

Browse history interactively

Content deleted Content added

VisualWikitext

Revision as of 00:42, 20 October 2006 edit TDM (talk \| contribs) 70 edits No edit summary		Latest revision as of 10:05, 17 May 2025 edit undo Palmiped (talk \| contribs) Extended confirmed users, Rollbackers 13,047 edits avoid redirect Tag: Undo
(85 intermediate revisions by 63 users not shown)
Line 1: {{Short description\|Web application security vulnerability}} '''HTTP header injection''' is a general class of web application vulnerability which occurs when HTTP headers are dynamically generated based on user input. Header injection in HTTP responses can allow for [[HTTP response splitting]] and [[Cross-site scripting]] attacks.▼ {{Citation style\|date=March 2024}} {{HTTP}} ▲'''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] ([[HTTP]]) [[list of HTTP headers\|headers]] are dynamically generated based on user input. [[Header (computing)\|Header]] injection in HTTP responses can allow for [[HTTP response splitting]], ~~and~~[[session fixation]] via the Set-[[~~Cross~~HTTP cookie\|Cookie]] header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. [[XSS]] attacks can be blocked with the use of an [[Browser extension\|extension]] such as [[NoScript]] or Malwarebytes Browser Guard on your [[Web browser\|browser]]. == Sources == ~~HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.~~ * [https://dl.packetstormsecurity.net/papers/attack/Aspect_File_Download_Injection.pdf File Download Injection] * [https://www.owasp.org/index.php/HTTP_Response_Splitting OWASP HTTP request Splitting] * [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling OWASP Testing for HTTP Splitting/Smuggling] * [https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/ HTTP Smuggling in 2015] * [https://noscript.net NoScript Official Website] == See also == * [[HTTP request smuggling]] ==References== {{Reflist}} [[Category:Web security exploits]] [[Category:Hypertext Transfer Protocol headers]] {{Web-stub}} [http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html HTTP Response Smuggling] [http://palisade.plynt.com/issues/2006Sep/http-request-smuggling/ HTTP Request Smuggling]