Wikipedia

HTTP header injection

This is an old revision of this page, as edited by 200.114.251.51 (talk) at 01:38, 10 June 2014. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The HTTP Header Enrichment (HHE) capability provides solutions for a content provider to identify a subscriber. Basic HHE allows the subscriber to be identified by their MSISDN. Aliased HHE allows the subscriber to be identified without divulging the subscriber’s MSISDN.

HHE allows mobile operators with 3G/4G networks to merge selected subscriber session information into the HTTP requests being sent to selected web sites. This ability to merge signalling information into the data flow makes a number of valuable data services much more practical to implement.

'HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting (also known as CRLF - Carriage Return Line Feed), Session fixation via the Set-Cookie header, cross-site scripting (XSS), and malicious redirect attacks via the ___location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting. Vulnerabilities due to HTTP header injections such as CRLF are no longer feasible due to the fact that multiple header requests are not possible.

Sources

Tools

 

This World Wide Web–related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP_header_injection&oldid=612293248"