HTTP Header Injection

Attackers exploit HTTP Header Injection when applications improperly handle user input, allowing them to inject malicious data into HTTP headers. This exploitation can lead to vulnerabilities such as response splitting, unauthorized redirection, or cross-site scripting (XSS). The vulnerability occurs when applications fail to properly validate or sanitize user inputs before including them in HTTP headers.

This blog explores the critical vulnerability of HTTP Header Injection, detailing how attackers exploit improper input handling in web applications. It also examines the implications of this vulnerability and presents effective strategies to safeguard against potential threats.

Understanding HTTP Header

The HTTP header, or Hypertext Transfer Protocol header, serves as a fundamental component of HTTP messages that clients (such as web browsers) and servers (such as web servers) exchange. These headers contain metadata about the HTTP request or response, providing essential information to facilitate communication between the client and server.

Developers structure HTTP headers as key-value pairs and categorize them into two types: request headers and response headers.

Request Headers

Request headers originate from the client—such as a browser—and convey essential information about the client’s request to the server. While numerous types of request headers exist, attackers often target specific ones in HTTP Header Injection vulnerabilities. The following headers commonly fall prey to manipulation:

• Host: The Host header indicates the domain name of the server that receives the request. Attackers exploit this header in Host Header Injection attacks, using it to redirect users to malicious sites or initiate Server-Side Request Forgery (SSRF) attacks.

• User-Agent: The User-Agent header provides information about the client making the request, such as the browser or application. Attackers frequently inject malicious scripts or code into this header, which can lead to Cross-Site Scripting (XSS) or other client-side attacks when the server reflects this data back in the HTTP response.

Response Headers

Response headers travel from the server back to the client and provide crucial information about the server's response. Attackers can exploit vulnerabilities in the handling of these headers to inject malicious data. Key response headers often targeted include:

• Content-Type: This header specifies the MIME type of the response content. Attackers may manipulate this header to deliver malicious content or scripts by exploiting Content-Type Mismatches, which can lead to security issues such as XSS.

• Set-Cookie: The Set-Cookie header enables the server to set cookies on the client. If improperly configured or manipulated, this header can become a target for attackers, allowing them to steal session information or execute a Session Fixation attack.

What is HTTP Header Injection?

Attackers exploit HTTP header injection vulnerabilities by manipulating HTTP headers to insert malicious content or force web applications to include unauthorized HTTP headers in their responses. This exploitation enables various attacks, including cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and session hijacking.

Risks of Malicious HTTP Header Injection

HTTP header injection poses significant risks to web applications and their users, compromising security and potentially causing severe consequences.

Cross-Site Scripting (XSS)

Attackers inject malicious scripts into HTTP headers, causing the client's browser to execute unauthorized actions. These actions may include stealing cookies or session tokens, or redirecting users to malicious websites. XSS attacks exploit the trust between the user and the web application, allowing attackers to manipulate client-side behavior.

Cross-Site Request Forgery (CSRF)

Attackers craft malicious HTTP requests to trick authenticated users into performing actions without their consent. This manipulation leads to unintended operations such as changing account details or initiating transactions. CSRF attacks exploit the trust that web applications place in users' browser requests.

Session Fixation

Attackers manipulate session-related headers to fix users' session identifiers, allowing them to hijack sessions later. This enables attackers to impersonate users, gain unauthorized access to their accounts, and perform actions on their behalf. Session fixation targets the session management mechanisms of web applications.

Cache Poisoning

Attackers inject manipulated headers to trick caching mechanisms into serving malicious or incorrect content to users. Cache poisoning allows attackers to serve compromised content, leading to further exploitation, spreading misinformation, or distributing malware to end users. This attack exploits the trust that both servers and clients place in cached data.

How Does HTTP Header Injection Occur?

Attackers exploit HTTP header injection vulnerabilities when server-side applications mishandle user-controlled data. This vulnerability typically occurs when applications fail to sufficiently validate or encode user-supplied data before including it in HTTP headers.

The injected content becomes part of the HTTP response that the client receives when the server-side application fails to properly validate or sanitize this input.

Reflected HTTP Header Injection

In a reflected HTTP Header Injection scenario, attackers exploit a vulnerable web application that echoes user input from the User-Agent header into its HTTP response headers without validation or sanitization. The attacker injects malicious content by sending a crafted HTTP request with a payload in the User-Agent header, as shown in the example below:

GET /vulnerable-page HTTP/1.1
Host: vulnerable-site.com
User-Agent: <script>alert('XSS');</script>

The web server reflects theUser-Agentheader back into the HTTP response after processing this request. Here's a demonstration:

HTTP/1.1 200 OK
Date: Thu, 10 Mar 2024 12:00:00 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
XSS-Protection: 1; mode=block
User-Agent: <script>alert('XSS'

When users access the vulnerable page, their browsers execute the reflected <script>alert('XSS');</script> payload, resulting in a cross-site scripting (XSS) attack. The injected script becomes part of the HTTP response headers, allowing browsers to interpret and run it. This attack resembles traditional XSS as user-controlled input is reflected and executed, but the malicious code appears in the response headers instead of the HTML source code.

Developers often reflect headers like the Referrer header to gather information about users' navigation patterns and analyze marketing efforts. However, reflecting these headers without proper sanitization can expose users' browsing history or enable XSS attacks.

Impact: Attackers use the reflected malicious payload to steal sensitive information like cookies, hijack user sessions, or deface the vulnerable website, depending on their goals and the power of the injected script.

HTTP Arbitrary Host Header Injection

Attackers exploit HTTP Host Header Injection vulnerabilities by manipulating the Host header of an HTTP request. They craft a request(VB.Net) that looks like this:

The attacker targets the resource "/example" on the domain "vulnerable-website.com," which appears legitimate at first glance. However, the attacker manipulates the Host header by appending a malicious string, "bad-stuff-here," to the domain name. This altered Host header can lead to various security vulnerabilities depending on how the server processes Host headers.

Attackers can exploit this vulnerability through domain hijacking. They inject an arbitrary domain name into the Host header to redirect users to malicious websites. This redirection facilitates phishing attacks, malware distribution, or unauthorized data collection by tricking users into interacting with a site controlled by the attacker.

Attackers also commonly use HTTP Host Header Injection to enable Server-Side Request Forgery (SSRF) attacks. In SSRF, attackers manipulate the server into sending requests to internal services or systems not intended for external access. By injecting malicious Host headers, attackers trick the server into making requests to these internal systems, potentially resulting in data breaches, service disruptions, or unauthorized access to sensitive data.

In both cases, attackers exploit improper server validation through the malicious Host header, allowing them to hijack requests or gain access to restricted internal services. Proper validation of the Host header and restricting access to internal resources can prevent these types of attacks.

Detection Techniques for HTTP Header Injection

HTTP header injection vulnerabilities create significant security risks, including cross-site scripting (XSS), session hijacking, and web cache poisoning. Application security engineers can effectively detect these vulnerabilities by employing various techniques.

1. Manual Testing Techniques

Use an intercepting proxy, such as Burp Suite, to modify the Host header in HTTP requests. Test with unrecognized or arbitrary domain names to observe how the server responds. This method reveals whether the application improperly trusts the Host header.

Inject duplicate Host headers in a request to check if the system mishandles them. When one header overrides the other, this approach identifies vulnerabilities or unexpected behaviors.

Indent HTTP headers with a space character to see if the server interprets it as part of the preceding header’s value. This technique exploits inconsistencies in how different servers process requests.

Inject CRLF characters (%0D%0A) into headers to create new headers or manipulate existing ones. Security engineers can identify vulnerabilities related to HTTP response splitting and similar attacks through this method.

2. Automated Scanning Tools

Utilize web vulnerability scanners like Acunetix or Invicti to automate the detection of HTTP header injection vulnerabilities. These tools simplify the process of testing for CRLF injection and related issues.

3. Specific Vulnerability Tests

Test how the application responds when supplying different values in the Host header. Injecting a malicious domain could lead to password reset poisoning or web cache poisoning if the application uses the Host header for link generation.

Inject content into response headers and observe if the server reflects it back without proper sanitization. This method identifies vulnerabilities that attackers could exploit for XSS or phishing attacks.

4. Observational Techniques

After modifying headers, analyze the server responses for unexpected behavior, such as additional headers or altered content. These anomalies often indicate potential vulnerabilities.

Check for reflected values in client-side scripts or markup that attackers could manipulate through header injection. This method helps to detect XSS or other client-side attack vectors.

CVEs of HTTP Header Injection

Security researchers have identified several critical CVEs related to HTTP header injection vulnerabilities, emphasizing the ongoing importance of addressing this security issue.

CVE-2022-38796

Attackers can exploit a Host Header Injection vulnerability in Feehi CMS 2.1.1 to manipulate headers. They abuse password reset emails to spoof specific headers and mislead users. This vulnerability can cause users to receive incorrect or malicious emails, potentially leading to phishing attacks or unauthorized access.

CVE-2022-34163

Improper validation of the HOST header in IBM CICS TX 11.1 allows attackers to launch various attacks, such as cross-site scripting (XSS), cache poisoning, or session hijacking. Poor input validation of the HOST header enables attackers to manipulate server responses or intercept user sessions.

CVE-2022-23237

Attackers can exploit a vulnerability in E-Series SANtricity OS Controller Software versions 11.x up to 11.70.2 to redirect users to malicious websites. They do this by altering the Host header in HTTP requests. This redirection can lead to phishing attacks or further exploitation, compromising user trust and security.

CVE-2021-23436

Attackers can exploit a vulnerability in the "http-headers" package for Node.js due to improper validation of input data. This allows them to inject malicious headers and manipulate HTTP responses, potentially leading to cross-site scripting (XSS) or cache poisoning. This vulnerability affects applications that use this package to process HTTP headers without proper sanitization.

CVE-2020-8192

Attackers can exploit a Host Header Injection vulnerability in Citrix Gateway and Citrix ADC (formerly known as NetScaler) to perform HTTP header manipulations. This can lead to cache poisoning or session fixation attacks. Poor validation of the Host header allows attackers to alter how the server processes requests, potentially causing user redirection to malicious sites or interception of sensitive information.

Ways to Prevent HTTP Header Injection

Implement these security measures at different levels of the web application architecture to prevent HTTP header injection vulnerabilities:

Validate and Sanitize Input

Restrict user-supplied data to the expected format and remove or properly handle special characters like semicolons and newline characters. Use a whitelist of allowed characters to enforce strict input validation and prevent malicious injections.

Encode Output

Properly encode user input before adding it to HTTP headers. Use functions like urlencode or encodeURIComponent for URL parameters to ensure correct encoding of special characters. Apply appropriate encoding methods for other contexts, such as base64 encoding.

Apply Context-Specific Encoding

Tailor encoding practices to the specific context of user input within HTTP headers. Recognize that encoding requirements differ for URL parameters, cookies, and custom headers. This context-specific approach reduces the risk of injection attacks and ensures safe incorporation of user data into headers.

Set Security Headers

Enhance your application's defenses by implementing security headers that mitigate HTTP header injection attacks. Use headers such as X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy to provide additional layers of security, block common attack vectors, and prevent execution of malicious code.

Implement Least Privilege Access

Restrict permissions of services and applications that process HTTP requests to only what is necessary. This principle of least privilege minimizes the impact of potential HTTP header injection vulnerabilities. Limit each component's access to reduce the attack surface and enhance overall security.

Final Thoughts

HTTP Header Injection poses a serious threat to the security of web applications, potentially leading to attacks like cross-site scripting (XSS), cache poisoning, and even unauthorized redirects to malicious sites.

To safeguard applications, application security engineers should validate and sanitize all user inputs, especially those used in HTTP headers. They should implement proper encoding based on the context, utilize libraries designed to handle HTTP headers securely, and enforce security headers such as Content-Security-Policy (CSP) and X-XSS-Protection.

Akto offers protection against HTTP Header Injection vulnerabilities for APIs. Its robust security platform enables automatic testing of all API endpoints for potential threats, including HTTP Header Injection. By importing API inventories and running comprehensive security tests with a single click, security engineers can detect and fix vulnerabilities before they become an issue.

To stay ahead of potential security risks, security engineers can safeguard applications by utilizing Akto. More information about Akto's HTTP Header Injection tests is available here. Security engineers interested in exploring Akto's capabilities can book an Akto demo.