Page 1 of 1

Header Injections

Posted: Fri Feb 06, 2009 11:01 am
by alex.barylski
From the Wiki:
HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input.
I'm not sure I get it though...why would headers ever need to be dynamically generated other than using time() to set the cache expiration, etc?

Certainly redirects are almost always hard-coded. Is this an example of an insecurity being introduced through bad design? Maybe I'm missing something about advanced header usage (admittedly I pretty much send the same headers in every project -- non-cache and redirects). Can someone give me an example as to when you might use dynamic headers so they might be exploited?

Cheers,
Alex

Re: Header Injections

Posted: Fri Feb 06, 2009 12:52 pm
by arjan.top
better example here are email headers

Re: Header Injections

Posted: Sat Feb 07, 2009 2:28 am
by Mordred
There are many valid reasons to generate dynamic headers. Most common example is link counters:

link.php?url=http://google.com

and in link.php you have

header("Location: {$_GET['url']}");

With recent (at least a year IIRC) versions of PHP, the header() function is protected internally to strip newlines.
As arjan said though, generating SMTP headers (for the mail() function) does offer the possibility for header injections.

It's kinda stupid really, as it is by design that the function allows injection, it can't be fixed like header().

Re: Header Injections

Posted: Sat Feb 07, 2009 1:43 pm
by kaisellgren
I have also come across into an application that let the user specify his email format in a select box, there were two options: text/plain and text/html. The script never checked that the submit was indeed either of these, and allowed to insert anything to the headers.

Re: Header Injections

Posted: Sun Feb 08, 2009 6:43 pm
by josh
could also pertain to request headers