Revision as of 08:29, 1 May 2023 edit Matieland (talk \| contribs) 9 edits Importing Wikidata short description: "Web application vulnerability that occurs when HTTP headers are dynamically generated from user input; can allow for HTTP response splitting, session fixation (via Set-Cookie), cross-site scripting, and malicious redirect attacks" Tag: Shortdesc helper ← Previous edit		Revision as of 08:47, 1 May 2023 edit undo GhostInTheMachine (talk \| contribs) Extended confirmed users, Page movers 106,191 edits Shorten short description per WP:SDSHORT Tag: Shortdesc helper Next edit →
Line 1: {{Short description\|Web application security vulnerability}} {{Short description\|Web application vulnerability that occurs when HTTP headers are dynamically generated from user input; can allow for HTTP response splitting, session fixation (via Set-Cookie), cross-site scripting, and malicious redirect attacks}} {{HTTP}} '''HTTP header injection''' is a general class of [[web application]] [[security vulnerability]] which occurs when [[Hypertext Transfer Protocol]] (HTTP) [[list of HTTP headers\|headers]] are dynamically generated based on user input. Header injection in HTTP responses can allow for [[HTTP response splitting]], [[session fixation]] via the Set-Cookie header, [[cross-site scripting]] (XSS), and malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.<ref>Linhart, Klein, Heled, and Orrin: [http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf HTTP Request Smuggling], 2005, Watchfire Corporation. Retrieved on 22 December 2015</ref>

HTTP header injection: Difference between revisions