Home

HeaderInjection

HeaderInjection is a class of vulnerabilities in which untrusted input is incorporated into HTTP response headers or, in email workflows, into mail headers, enabling an attacker to influence header content. In web applications, this often occurs when header names or values are built by concatenating strings with user-supplied data, such as redirect locations (Location) or cookies (Set-Cookie).

The common mechanism is the presence of carriage return and line feed characters in the input. CR

Impact can include cache poisoning, unintended page redirects, and the potential for cross-site scripting if header

Mitigation focuses on preventing untrusted data from influencing header construction. Best practices include using framework APIs

See also: HTTP response splitting, mail header injection.

and
LF
can
split
a
header
into
multiple
lines,
creating
additional
headers
or
responses.
This
is
known
as
HTTP
response
splitting
in
many
contexts
and
can
be
used
in
combination
with
other
flaws
to
alter
behavior
of
a
web
response,
such
as
redirects,
caching,
or
reflected
content.
data
is
reflected
in
a
page.
HeaderInjection
can
undermine
the
integrity
of
web
traffic
and,
in
some
configurations,
facilitate
phishing
or
user
confusion
through
manipulated
headers.
to
set
headers
rather
than
manual
string
assembly,
validating
and
sanitizing
input,
and
rejecting
or
encoding
CR
and
LF
characters.
Employ
strict
input
validation,
apply
safe
encoding
or
canonicalization,
and
use
header
value
allowlists.
Server
and
application
configurations
should
enforce
safe
header
handling,
and
regular
code
reviews
and
automated
scanners
can
help
detect
problematic
header
construction.