Headers Injections

Security Headers

HTTP Strict Transport Security (HSTS)  --- Force HTTPS if enabled on the website
Content Security Policy (CSP)  ---  Restrict/Whitelist some resources for some users
X-XSS-Protection  ---  Protection for XSS
X-Frame-Options  ---  Protect from clickjacking by removing iframes
X-Content-Type-Options  ---  Protect from MIME sniffing

# Cookie
Set-Cookie Secure  ---  Prevent cookie stealing during transport
Set-Cookie HttpOnly  ---  Prevent cookie stealing in the web browser
Set-Cookie SameSite  ---  Prevent from CSRF (cookies will stay on the website)

Interesting Headers

Some interesting header to fuzz the application with:

Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
Location: 127.0.0.1
ProxySourceAddress: 127.0.0.1

TRACE/TRACK Method

# You can get information using the TRACE method
# If your requests goes through a WAF, you might have some informations in the response
# Added headers (X-Forwarded-For) for example → You can try to bypass the WAF
# Bypass WAF by addind it's own IP in the header and tell him to ignore the request

XST - Cross Site Tracing

# Client side vulnerability using TRACE Method
# It's not about injecting executable Javascript as long as the client must already be able to execute
# It takes advantage of the fact that the web server reflect the client's HTTP message in his response

# The main goal is to access headers that are blocked by JavaScript