Wikipedia

HTTP header injection: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Reverted 1 edit by 201.175.252.23 (talk) to last revision by 77.8.137.98
avoid redirect
 
(9 intermediate revisions by 2 users not shown)
Line 1:
{{Short description|Web application security vulnerability}}
{{Citation style|date=March 2024}}
{{HTTP}}
'''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] ([[HTTP]]) [[list of HTTP headers|headers]] are dynamically generated based on user input. [[Header (computing)|Header]] injection in HTTP responses can allow for [[HTTP response splitting]], [[session fixation]] via the Set-[[HTTP cookie|Cookie]] header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. HTTP[[XSS]] headerattacks injectioncan isbe ablocked relativelywith newthe areause forof web-basedan attacks,[[Browser andextension|extension]] hassuch primarilyas been[[NoScript]] pioneeredor byMalwarebytes AmitBrowser Klein in his workGuard on request/response smuggling/splitting.<ref>Linhart, Klein, Heled, and Orrin:your [http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf[Web HTTP Request Smugglingbrowser|browser]], 2005, Watchfire Corporation. Retrieved on 22 December 2015</ref>
 
== Sources ==
Line 8 ⟶ 9:
* [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling OWASP Testing for HTTP Splitting/Smuggling]
* [https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/ HTTP Smuggling in 2015]
* [https://noscript.net NoScript Official Website]
 
== See also ==
Retrieved from "https://en.wikipedia.org/wiki/HTTP_header_injection"