Best State of Art IT Security Solutions
The best Innovative and powerful IT Security products

Encyclopedia / Encyclopedia Part 6 /

What Is HTTP Header Injection?

HTTP header injection is a web application security vulnerability for HTTP (Hypertext Transfer Protocol) headers, specifically those that depend on user input in order to be generated in a dynamic manner. HTTP response splitting, in particular, can occur whenever HTTP header injection is implemented. You can do all sorts of things with this vulnerability, and they include malicious redirect attacks from the location header, XSS or cross-site scripting, and session fixation through the set-cookie header. Web-based attacks via the HTTP header injection route are basically traversing uncharted waters because this is a relatively new method of cyber assault, all things considered.

Header Injection Vulnerabilities

Documentation about HTTP header injection vulnerabilities are sparse and highly technical, so it isn't something that script kiddies can easily decipher and delve upon anytime soon. At any rate, to recap, this vulnerability is usually found in dynamically generated HTTP headers that depend on user input to be created. Amit Klein is the main vanguard when it comes to HTTP header injection exploits, particularly his work on response/request splitting/smuggling. With that said, the path for cyber-attacks of this nature has been trodden, and Klein has paved the way for more creative uses of this susceptibility. 

User Based Input

The only reason why efforts to deal with this security hole has been sparse is because attacks for it have been similarly few and far between. HTTP responses and requests have the HTTP header as a component of theirs. Header fields are transferred after every response and request are made. They, the header fields, carry extra data regarding these responses and requests as well. With that said, the HTTP header injection isn't the kind of vulnerability that should be taken lightly just because it's "unexplored territory" in the realm of IT security, so very few hackers have taken full advantage of its so-called "potential" other than HTTP header injection pioneer Klein. Any headers that makes use of user-based input has this vulnerability. 

Multiple sites vulnerable

A lot of sites have this vulnerability intact and un addressed. You can, for example, use malicious JavaScript injection on the "Expect" header of certain sites. White hat hackers have forever been warning of the implications of this new approach to hacking and taking control of sites. You can insert most anything through an HTTP header injection exploit, like nasty body text, additional HTTP headers, and newlines into the dynamic header that any user can control through input. Compromising a site or server is possible via this security hole in some situations, but a host of other cybercrimes can be perpetrated via HTTP header injection, which includes malicious site redirects, phishing, and a whole host of social engineering attacks. 
cloud vulnerability scanner

➤ Related pages
Advantages of Proxy Servers?
Ethical Hacking Penetration?
Network Security Scanner?
Risk Management
Use Network Security Scanner?
What Is A Proxy Server For?
What Is Cross Site Scripting or XSS?
What Is Cross-Site Request Forgery?
What Is HTTP Header Injection?
What Is Open Redirection?
What Is XSS Cross-Site Scripting?

Powerful UTM Firewall, Vulnerability Scanner, WiFi Penetration Testing software

SecPoint is specialized to deliver the best IT security solutions and products.

Compatible with Product