What is HTTP Header Injection?
HTTP Header Injection is an attack method that exploits vulnerabilities in web applications. By embedding malicious strings, including carriage return and line feed (CRLF) characters, into HTTP requests sent to the web server, attackers can manipulate HTTP responses. Web applications that store user-provided parameters directly into HTTP response headers without sanitization are particularly vulnerable to this type of attack.
For instance, consider a scenario where a browser sends the following request with a parameter:
http://f5.com/index.html?status=1
If the web application wishes to use the status=1 parameter for session management, it might return an HTTP response like this:
HTTP/1.1 200 OK
...
Set-Cookie:status=1
Now, suppose the request is modified with the following crafted input:
http://f5.com/index.html?status=1<CRLF><CRLF><html><body><script>~</script></body></html>
The HTTP response from the web application would be altered as follows:
HTTP/1.1 200 OK
...
Set-Cookie:status=1
<empty line>
<html><body><script>~</script></body></html>
In HTTP responses, any content after two CRLF characters (blank lines) is treated as the response body and rendered by the browser. If the response body includes malicious JavaScript, the browser will execute it, leading to potential security breaches. Additionally, attackers may craft input to inject header content like:
<CRLF>Set-Cookie:PHPSESSID=abc
This would set a specific session ID in the browser and enable session fixation attacks.