HTTP Header Injection
HTTP Header Injection is a web security vulnerability where attackers manipulate HTTP request headers to inject malicious payloads, often targeting backend systems like databases. This occurs when applications process unsanitized header values in security-sensitive operations, such as logging, authentication, or database queries. Unlike traditional SQL injection, this attack vector exploits the often-overlooked trust placed in HTTP headers.
How HTTP Header Injection Works
Attackers exploit the implicit trust web applications place in HTTP headers by crafting requests with malicious values. When these headers are processed—whether for logging, authentication, or database operations—the injected payloads can execute unintended actions.
Attack Flow
- Header Manipulation: Attackers modify headers (e.g.,
User-Agent,Referer) to include malicious code. - Server Processing: The application uses the header value in an unsafe operation (e.g., SQL query, log file).
- Payload Execution: If unsanitized, the injected code executes, leading to data breaches or system compromise.
Critical Insight: HTTP headers are user-controlled input and should never be trusted without validation.
Common Attack Vectors
| Header | Typical Use Case | Exploitation Risk |
|---|---|---|
User-Agent | Browser/device identification | SQL injection in logging systems |
Referer | Tracking traffic sources | Stored XSS or SQLi in analytics databases |
X-Forwarded-For | Proxy IP tracking | Bypassing IP-based security controls |
Cookie | Session management | Session fixation or privilege escalation |
Practical Exploitation Example
An attacker sends a request with a maliciously crafted User-Agent header:
User-Agent: ' OR 1=1 --
If the application logs this header directly into a SQL database without sanitization, the query might become:
INSERT INTO logs (user_agent) VALUES ('' OR 1=1 --');
This could expose all records in the logs table.
Impact of HTTP Header Injection
- Data Breaches: Unauthorized access to sensitive data (e.g., passwords, PII).
- Database Manipulation: Altering or deleting records via injected SQL commands.
- Authentication Bypass: Exploiting headers like
CookieorAuthorizationto hijack sessions. - Secondary Attacks: Enabling stored XSS or server-side request forgery (SSRF) via header manipulation.
Real-World Case: In 2018, a major e-commerce platform suffered a data breach when attackers injected SQL via the
Refererheader, exposing 500,000 customer records.
Prevention and Mitigation Strategies
Secure Coding Practices
- Input Validation: Treat all headers as untrusted input. Validate against allowlists.
# Example: Validate User-Agent header if not re.match(r'^[a-zA-Z0-9\s\-_]+$', user_agent): raise ValueError("Invalid User-Agent header") - Output Encoding: Encode header values before using them in SQL queries, HTML, or logs.
- Parameterized Queries: Use prepared statements to separate data from commands.
-- Safe: Parameterized query PREPARE stmt FROM 'INSERT INTO logs (user_agent) VALUES (?)'; EXECUTE stmt USING @user_agent;
Infrastructure-Level Protections
- Web Application Firewalls (WAFs): Deploy rules to block suspicious header patterns.
- Header Sanitization Middleware: Strip or neutralize dangerous characters in headers.
- Logging Safeguards: Avoid logging raw headers; use hashing or truncation for sensitive data.
Secure Defaults
| Technique | Implementation Example |
|---|---|
| Allowlist Validation | Only permit alphanumeric User-Agent values |
| Header Normalization | Convert headers to lowercase before processing |
| Rate Limiting | Block excessive header manipulation attempts |
Key Takeaways
- Never trust HTTP headers: Treat them as user-controlled input.
- Sanitize before use: Validate and encode headers for their intended context (SQL, HTML, logs).
- Use defense in depth: Combine input validation, parameterized queries, and WAFs.
- Audit logging practices: Ensure logs don’t become attack vectors.
- Stay updated: Follow OWASP guidelines for emerging header-based threats.