HTTP header injection
Encyclopedia
HTTP header injection is a general class of web application
security vulnerability which occurs when Hypertext Transfer Protocol
(HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting
, Session fixation
via the Set-Cookie header, cross-site scripting
(XSS), and malicious redirects attacks via the location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.
Web application
A web application is an application that is accessed over a network such as the Internet or an intranet. The term may also mean a computer software application that is coded in a browser-supported language and reliant on a common web browser to render the application executable.Web applications are...
security vulnerability which occurs when Hypertext Transfer Protocol
Hypertext Transfer Protocol
The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
(HTTP) headers are dynamically generated based on user input. Header injection in HTTP responses can allow for HTTP response splitting
HTTP response splitting
HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values...
, Session fixation
Session fixation
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate another person's session identifier...
via the Set-Cookie header, cross-site scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
(XSS), and malicious redirects attacks via the location header. HTTP header injection is a relatively new area for web-based attacks, and has primarily been pioneered by Amit Klein in his work on request/response smuggling/splitting.