Header Poisoning

Sometimes headers could be injected with XSS when its content is used directly in some functionalities of the app.

Here we find an example of this scenario:

  • An application has a See Your IP functionality which retrieves the information of the user's IP via the X-Forwarded-For header.

Example Request
GET http://$url HTTP/1.1
host: host
X-Forwarded-For: $IP
...

  • We can inject JavaScript code, so when this function is triggered, the payload will be executed

Example Request
GET http://$url HTTP/1.1
host: host
X-Forwarded-For: <img src=x onerror='alert("HACKED")'/>
...
PreviousAbuse File UploadNextHTTP Parameter Pollution

Last updated