Skip to main content

Posts

Showing posts from June, 2012

HTTP Header Injection

Sometimes user input may be reflected in the HTTP Response Header from the server. If this is the case we may want to inject additional headers to perform other tasks, e.g. setting extra cookies, redirecting the user's browser to another site, etc. One example of this is a file download from a website with a user defined filename that I tested.

The web application took a user inputted description for a dataset that was used in several places. It was passed through several layers of validation for output to the screen and to a CSV file for download. However, it was also used as the filename for the CSV download and was not subject to enough validation. The filename was written to the HTTP headers as an attachment, e.g.:
Content-Disposition: attachment; filename="output.csv"However, if we want to add a redirect header to the response from the server then we have to manipulate the filename/description. If we add a CRLF (carriage return line feed – i.e. a new line) then we ca…