Header Injection

Headers can be used by developers in web applications. If they forget to properly sanitize input or fail to implement security measures, header injection becomes possible.

Header Values Injection

Host Header Injection

# Server generates a reset link using Host header
$resetLink = "https://" . $_SERVER['HTTP_HOST'] . "/reset-password?token=" . $token;
mail($to, "Reset Your Password", "Click here: " . $resetLink, "From: noreply@" . $_SERVER['HTTP_HOST']);

This is insecure because an attacker can modify the Host header to redirect the email to their own domain and steal the password reset token.

# Attacker changes the Host header
GET /reset-password?email=victim@site.com HTTP/1.1
Host: evil.com

# Victim clicks the malicious link: https://evil.com/reset-password?token=abc123
# Attacker captures the token and resets the victim's password
GET /reset-password?token=abc123&newpass=Hacked123 HTTP/1.1
Host: target.com

Try to inject the Host header parameter — this can lead to redirects, SSRF, cache poisoning, or even password reset poisoning.

# SSRF via Host header
curl -H "Host: 127.0.0.1" http://target.tld/

Referer

# If script is based on the referer to allowd access at a resource, change referer
Referer: https://site.com/admin

Bypass IP

Trying to inject this header, to access at the restricted resource or bypass WAF and IDS/IPS

Host: 127.0.0.1
Location: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
ProxySourceAddress: 127.0.0.1

Bad Sanitization

If HTTP headers are not properly sanitized, attackers can inject malicious code into the application. Unsanitized values can lead to vulnerabilities like XSS or file inclusion:

# Example of XSS:
echo $_SERVER['HTTP_USER_AGENT']

# Example of LFI/RFI:
include $_COOKIE['user_file']

[+] Always check if header values are used directly and test injection points in the fields to identify possible vulnerabilities.

HTTP Method

If the server has been configure to return resource with restriction with a speciofic method, trying to access at this resource with anothers methods.

# Testing headers should also include testing different HTTP methods (OPTIONS, TRACE, FOO, BAR)
# to check if they're improperly configured on the server.

Tracing / Tracking

Trace Method

# The TRACE method, if enabled, echoes back all HTTP headers sent by the client.
# This can expose sensitive data such as cookies, tokens, or other private headers.
# If XSS vulnerabilities exist, attackers can exploit TRACE to retrieve this data.

XST (Cross Site Tracing)

# The TRACE method echoes back all HTTP headers, including sensitive data like cookies and tokens.
# If there's an XSS vulnerability, an attacker can inject malicious code to trigger TRACE and retrieve these headers.
# This bypasses browser security, allowing access to normally blocked HTTP headers.

Header Security

Headers can be secured to prevent common vulnerabilities such as XSS, LFI, and RFI.

# Strict-Transport-Security (HSTS) – Forces HTTPS to prevent downgrade attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# Content Security Policy (CSP) to prevent XSS and client side code execution

# Blocks inline scripts and restricts external resources
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com

# X-XSS-Protection - Mitigates reflected XSS (deprecated but still useful).
X-XSS-Protection: 1; mode=block

# X-Frame-Options – Prevents Clickjacking by blocking iframe embedding.
X-Frame-Options: DENY

# X-Content-Type-Options - Blocks MIME-type sniffing to prevent content-type spoofing.
X-Content-Type-Options: nosniff

Secure Cookie :

• Secure - Prevents cookies from being sent over HTTP.
• HttpOnly - Blocks JavaScript from accessing cookies (prevents XSS cookie theft).
• SameSite - Protects against CSRF by restricting cross-site cookie sharing.

Set-Cookie: sessionid=abc123; Secure; HttpOnly; SameSite=Strict

Tips

# - Check if headers are used by the application and try to exploit them.
# - Modify Host, Referer, or IP headers to access restricted resources.
# - Bypass restrictions by injecting headers like X-Forwarded-For or Client-IP.
# - Test if security mechanisms rely on easily spoofed headers.
# - Some WAFs or access controls may trust user-controlled headers.