hacktricks/src/network-services-pentesting/pentesting-web/special-http-headers.md

Special HTTP headers

{{#include ../../banners/hacktricks-training.md}}

Wordlists & Tools

• https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/Web/http-request-headers
• https://github.com/rfc-st/humble

Headers to Change Location

Rewrite IP source:

• X-Originating-IP: 127.0.0.1
• X-Forwarded-For: 127.0.0.1
• X-Forwarded: 127.0.0.1
• Forwarded-For: 127.0.0.1
• X-Forwarded-Host: 127.0.0.1
• X-Remote-IP: 127.0.0.1
• X-Remote-Addr: 127.0.0.1
• X-ProxyUser-Ip: 127.0.0.1
• X-Original-URL: 127.0.0.1
• Client-IP: 127.0.0.1
• X-Client-IP: 127.0.0.1
• X-Host: 127.0.0.1
• True-Client-IP: 127.0.0.1
• Cluster-Client-IP: 127.0.0.1
• Via: 1.0 fred, 1.1 127.0.0.1
• Connection: close, X-Forwarded-For (Check hop-by-hop headers)

Rewrite location:

• X-Original-URL: /admin/console
• X-Rewrite-URL: /admin/console

Hop-by-Hop headers

A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.

• Connection: close, X-Forwarded-For

{{#ref}} ../../pentesting-web/abusing-hop-by-hop-headers.md {{#endref}}

HTTP Request Smuggling

• Content-Length: 30
• Transfer-Encoding: chunked

{{#ref}} ../../pentesting-web/http-request-smuggling/ {{#endref}}

Cache Headers

Server Cache Headers:

• X-Cache in the response may have the value miss when the request wasn't cached and the value hit when it is cached
• Similar behaviour in the header Cf-Cache-Status
• Cache-Control indicates if a resource is being cached and when will be the next time the resource will be cached again: Cache-Control: public, max-age=1800
• Vary is often used in the response to indicate additional headers that are treated as part of the cache key even if they are normally unkeyed.
• Age defines the times in seconds the object has been in the proxy cache.
• Server-Timing: cdn-cache; desc=HIT also indicates that a resource was cached

{{#ref}} ../../pentesting-web/cache-deception/ {{#endref}}

Local Cache headers:

• Clear-Site-Data: Header to indicate the cache that should be removed: Clear-Site-Data: "cache", "cookies"
• Expires: Contains date/time when the response should expire: Expires: Wed, 21 Oct 2015 07:28:00 GMT
• Pragma: no-cache same as Cache-Control: no-cache
• Warning: The Warning general HTTP header contains information about possible problems with the status of the message. More than one Warning header may appear in a response. Warning: 110 anderson/1.3.37 "Response is stale"

Conditionals

• Requests using these headers: If-Modified-Since and If-Unmodified-Since will be responded with data only if the response header**Last-Modified** contains a different time.
• Conditional requests using If-Match and If-None-Match use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The Etag is taken from the HTTP response.
• The Etag value is usually calculated based on the content of the response. For example, ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI" indicates that the Etag is the Sha1 of 37 bytes.

Range requests

• Accept-Ranges: Indicates if the server supports range requests, and if so in which unit the range can be expressed. Accept-Ranges: <range-unit>
• Range: Indicates the part of a document that the server should return. For example, Range:80-100 will return the bytes 80 to 100 of the original response with a status code of 206 Partial Content. Also remember to remove the Accept-Encoding header from the request.
• This could be useful to get a response with arbitrary reflected javascript code that otherwise could be escaped. But to abuse this you would need to inject this headers in the request.
• If-Range: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
• Content-Range: Indicates where in a full body message a partial message belongs.

Message body information

• Content-Length: The size of the resource, in decimal number of bytes.
• Content-Type: Indicates the media type of the resource
• Content-Encoding: Used to specify the compression algorithm.
• Content-Language: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
• Content-Location: Indicates an alternate location for the returned data.

From a pentest point of view this information is usually "useless", but if the resource is protected by a 401 or 403 and you can find some way to get this info, this could be interesting.
For example a combination of Range and Etag in a HEAD request can leak the content of the page via HEAD requests:

• A request with the header Range: bytes=20-20 and with a response containing ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y" is leaking that the SHA1 of the byte 20 is ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y

Server Info

• Server: Apache/2.4.1 (Unix)
• X-Powered-By: PHP/5.3.3

Controls

• Allow: Header hii inatumika kuwasilisha mbinu za HTTP ambazo rasilimali inaweza kushughulikia. Kwa mfano, inaweza kuainishwa kama Allow: GET, POST, HEAD, ikionyesha kwamba rasilimali inasaidia mbinu hizi.
• Expect: Inatumika na mteja kuwasilisha matarajio ambayo seva inahitaji kutimiza ili ombi lilipwe kwa mafanikio. Matumizi ya kawaida ni pamoja na kichwa cha Expect: 100-continue, ambacho kinadhihirisha kwamba mteja anatarajia kutuma mzigo mkubwa wa data. Mteja anatazamia jibu la 100 (Continue) kabla ya kuendelea na uhamasishaji. Mekanismu hii inasaidia kuboresha matumizi ya mtandao kwa kusubiri uthibitisho wa seva.

Downloads

• The Content-Disposition header in HTTP responses directs whether a file should be displayed inline (within the webpage) or treated as an attachment (downloaded). For instance:

Content-Disposition: attachment; filename="filename.jpg"

Hii inamaanisha faili iliyo na jina "filename.jpg" inakusudiwa kupakuliwa na kuhifadhiwa.

Vichwa vya Usalama

Sera ya Usalama wa Maudhui (CSP)

{{#ref}} ../../pentesting-web/content-security-policy-csp-bypass/ {{#endref}}

Aina Zinazotegemewa

Kwa kutekeleza Aina Zinazotegemewa kupitia CSP, programu zinaweza kulindwa dhidi ya mashambulizi ya DOM XSS. Aina Zinazotegemewa zinahakikisha kwamba ni vitu vilivyoundwa kwa usahihi pekee, vinavyokubaliana na sera za usalama zilizowekwa, vinaweza kutumika katika wito hatari wa API za wavuti, hivyo kulinda msimbo wa JavaScript kwa default.

// Feature detection
if (window.trustedTypes && trustedTypes.createPolicy) {
// Name and create a policy
const policy = trustedTypes.createPolicy('escapePolicy', {
createHTML: str => str.replace(/\</g, '&lt;').replace(/>/g, '&gt;');
});
}

// Assignment of raw strings is blocked, ensuring safety.
el.innerHTML = "some string" // Throws an exception.
const escaped = policy.createHTML("<img src=x onerror=alert(1)>")
el.innerHTML = escaped // Results in safe assignment.

X-Content-Type-Options

Kichwa hiki kinazuia upimaji wa aina ya MIME, mbinu ambayo inaweza kusababisha udhaifu wa XSS. Kinahakikisha kwamba vivinjari vinaheshimu aina za MIME zilizotajwa na seva.

X-Content-Type-Options: nosniff

X-Frame-Options

Ili kupambana na clickjacking, kichwa hiki kinapunguza jinsi hati zinavyoweza kuingizwa katika <frame>, <iframe>, <embed>, au <object> tags, kikipendekeza hati zote kufafanua ruhusa zao za kuingizwa waziwazi.

X-Frame-Options: DENY

Cross-Origin Resource Policy (CORP) and Cross-Origin Resource Sharing (CORS)

CORP ni muhimu kwa kubainisha ni rasilimali zipi zinaweza kupakiwa na tovuti, ikipunguza uvujaji wa taarifa kati ya tovuti. CORS, kwa upande mwingine, inaruhusu mfumo wa kubadilishana rasilimali za asili tofauti kwa njia rahisi, ikirekebisha sera ya asili sawa chini ya hali fulani.

Cross-Origin-Resource-Policy: same-origin
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true

Cross-Origin Embedder Policy (COEP) and Cross-Origin Opener Policy (COOP)

COEP na COOP ni muhimu kwa kuwezesha kutengwa kwa mipaka ya asili, kupunguza kwa kiasi kikubwa hatari ya mashambulizi kama ya Spectre. Zinadhibiti upakiaji wa rasilimali za mipaka tofauti na mwingiliano na madirisha ya mipaka tofauti, mtawalia.

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin-allow-popups

HTTP Strict Transport Security (HSTS)

Mwisho, HSTS ni kipengele cha usalama ambacho kinawalazimisha vivinjari kuwasiliana na seva tu kupitia muunganisho salama wa HTTPS, hivyo kuboresha faragha na usalama.

Strict-Transport-Security: max-age=3153600

Marejeleo

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
• https://web.dev/security-headers/
• https://web.dev/articles/security-headers

{{#include ../../banners/hacktricks-training.md}}