Revision as of 15:48, 26 October 2015 edit 90.49.7.127 (talk) →Sources: remove broken links, add valid ones ← Previous edit		Revision as of 01:24, 22 December 2015 edit undo 5.102.218.163 (talk) Removing template:fact. Inserting a reference. Next edit →
Line 1: {{HTTP}} '''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] (HTTP) [[list of HTTP headers\|headers]] are dynamically generated based on user input. Header injection in HTTP responses can allow for [[HTTP response splitting]], [[Session fixation]] via the Set-Cookie header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting~~{{fact\|date=February~~<ref>Linhart, ~~2015}}~~Klein, Heled, and Orrin: [http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf HTTP Request Smuggling], 2005. Retrieved on 22 December 2005, Watchfire Corporation</ref>. == Sources == Line 10: == Tools == * [http://wapiti.sf.net Wapiti Open Source Header, XSS, SQL and LDAP injection scanner] ==References== {{Reflist}} [[Category:Web security exploits]]

HTTP header injection: Difference between revisions