HTTP header injection: Difference between revisions

'''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] (HTTP) [[list of HTTP headers|headers]] are dynamically generated based on user input. Header injection in HTTP responses can allow for [[HTTP response splitting]], [[Session fixation]] via the Set-Cookie header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting{{fact|date=February 2015}}..