Revision as of 04:59, 5 May 2021 edit 2806:103e:e:4ec4:59ac:6927:8a7d:dbc0 (talk) HTTPS Tags: Reverted Mobile edit Mobile web edit ← Previous edit		Revision as of 05:02, 5 May 2021 edit undo 2806:103e:e:4ec4:59ac:6927:8a7d:dbc0 (talk) No edit summary Tags: Reverted nowiki added Mobile edit Mobile web edit Next edit →
Line 1: HTTPS header injection is a general class of ~~[[web~~nowikiweb applicationsecurity vulnerability which occurs when [[Hypertext Transfer Protocol]] HTTPS list on HTTPS ~~headers\|headers]]~~ are dynamically generated based on user input. Header injection in HTTPS responses can allow for [['''HTTP response ~~splitting]], [[Session fixation~~s]] via the Set-Cookie header, ~~[[cross-site scripting]] (XSS), and~~ malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.<ref>Linhart, Klein, Heled, and Orrin: [http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf HTTP Request Smuggling], 2005, Watchfire Corporation. Retrieved on 22 December 2015</ref> == Sources ==

HTTP header injection: Difference between revisions