Special HTTP headers
Wordlists & Tools
Headers to Change Location
Rewrite IP source:
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
Via: 1.0 fred, 1.1 127.0.0.1
Connection: close, X-Forwarded-For
(Check hop-by-hop headers)
Rewrite location:
X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console
Hop-by-Hop headers
A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.
Connection: close, X-Forwarded-For
HTTP Request Smuggling
Content-Length: 30
Transfer-Encoding: chunked
Cache Headers
Server Cache Headers:
X-Cache
in the response may have the valuemiss
when the request wasn't cached and the valuehit
when it is cachedSimilar behaviour in the header
Cf-Cache-Status
Cache-Control
indicates if a resource is being cached and when will be the next time the resource will be cached again:Cache-Control: public, max-age=1800
Vary
is often used in the response to indicate additional headers that are treated as part of the cache key even if they are normally unkeyed.Age
defines the times in seconds the object has been in the proxy cache.Server-Timing: cdn-cache; desc=HIT
also indicates that a resource was cached
Local Cache headers:
Clear-Site-Data
: Header to indicate the cache that should be removed:Clear-Site-Data: "cache", "cookies"
Expires
: Contains date/time when the response should expire:Expires: Wed, 21 Oct 2015 07:28:00 GMT
Pragma: no-cache
same asCache-Control: no-cache
Warning
: TheWarning
general HTTP header contains information about possible problems with the status of the message. More than oneWarning
header may appear in a response.Warning: 110 anderson/1.3.37 "Response is stale"
Conditionals
Requests using these headers:
If-Modified-Since
andIf-Unmodified-Since
will be responded with data only if the response header**Last-Modified
** contains a different time.Conditional requests using
If-Match
andIf-None-Match
use an Etag value so the web server will send the content of the response if the data (Etag) has changed. TheEtag
is taken from the HTTP response.The Etag value is usually calculated based on the content of the response. For example,
ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"
indicates that theEtag
is the Sha1 of 37 bytes.
Range requests
Accept-Ranges
: Indicates if the server supports range requests, and if so in which unit the range can be expressed.Accept-Ranges: <range-unit>
Range
: Indicates the part of a document that the server should return.If-Range
: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.Content-Range
: Indicates where in a full body message a partial message belongs.
Message body information
Content-Length
: Ukubwa wa rasilimali, katika nambari ya desimali ya bytes.Content-Type
: Inaonyesha aina ya media ya rasilimaliContent-Encoding
: Inatumika kubainisha algorithm ya compression.Content-Language
: Inaelezea lugha za kibinadamu zinazokusudiwa kwa hadhira, ili kuruhusu mtumiaji kutofautisha kulingana na lugha anayoipendelea.Content-Location
: Inaonyesha eneo mbadala la data iliyorejeshwa.
From a pentest point of view this information is usually "useless", but if the resource is protected by a 401 or 403 and you can find some way to get this info, this could be interesting.
For example a combination of Range
and Etag
in a HEAD request can leak the content of the page via HEAD requests:
A request with the header
Range: bytes=20-20
and with a response containingETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"
is leaking that the SHA1 of the byte 20 isETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y
Server Info
Server: Apache/2.4.1 (Unix)
X-Powered-By: PHP/5.3.3
Controls
Allow
: Header hii inatumika kuwasiliana mbinu za HTTP ambazo rasilimali inaweza kushughulikia. Kwa mfano, inaweza kuainishwa kamaAllow: GET, POST, HEAD
, ikionyesha kwamba rasilimali inasaidia mbinu hizi.Expect
: Inatumika na mteja kuwasilisha matarajio ambayo seva inahitaji kutimiza ili ombi lilipwe kwa mafanikio. Matumizi ya kawaida ni pamoja na kichwa chaExpect: 100-continue
, ambacho kinadhihirisha kwamba mteja anakusudia kutuma mzigo mkubwa wa data. Mteja anatazamia jibu la100 (Continue)
kabla ya kuendelea na uhamishaji. Mekanismu hii inasaidia kuboresha matumizi ya mtandao kwa kusubiri uthibitisho wa seva.
Downloads
The
Content-Disposition
header in HTTP responses directs whether a file should be displayed inline (within the webpage) or treated as an attachment (downloaded). For instance:
Hii inamaanisha faili iliyo na jina "filename.jpg" inakusudiwa kupakuliwa na kuhifadhiwa.
Vichwa vya Usalama
Sera ya Usalama wa Maudhui (CSP)
Content Security Policy (CSP) BypassAina Zinazotegemewa
Kwa kutekeleza Aina Zinazotegemewa kupitia CSP, programu zinaweza kulindwa dhidi ya mashambulizi ya DOM XSS. Aina Zinazotegemewa zinahakikisha kwamba ni vitu vilivyoundwa kwa usahihi pekee, vinavyokubaliana na sera za usalama zilizowekwa, vinaweza kutumika katika wito hatari wa API za wavuti, hivyo kulinda msimbo wa JavaScript kwa default.
X-Content-Type-Options
Kichwa hiki kinazuia upimaji wa aina ya MIME, mbinu ambayo inaweza kusababisha udhaifu wa XSS. Kinahakikisha kwamba vivinjari vinaheshimu aina za MIME zilizotolewa na seva.
X-Frame-Options
Ili kupambana na clickjacking, kichwa hiki kinapunguza jinsi hati zinavyoweza kuingizwa katika <frame>
, <iframe>
, <embed>
, au <object>
vitambulisho, kikipendekeza hati zote kufafanua ruhusa zao za kuingizwa waziwazi.
Cross-Origin Resource Policy (CORP) and Cross-Origin Resource Sharing (CORS)
CORP ni muhimu kwa kubaini ni rasilimali zipi zinaweza kupakiwa na tovuti, ikipunguza leaks za tovuti tofauti. CORS, kwa upande mwingine, inaruhusu mfumo wa kushiriki rasilimali za asili tofauti kwa njia rahisi, ikirekebisha sera ya asili sawa chini ya hali fulani.
Sera ya Kuunganisha Mijadala ya Mikoa (COEP) na Sera ya Kufungua Mijadala ya Mikoa (COOP)
COEP na COOP ni muhimu kwa kuwezesha kutengwa kwa mikoa, na kupunguza kwa kiasi kikubwa hatari ya mashambulizi kama ya Spectre. Zinadhibiti upakiaji wa rasilimali za mikoa tofauti na mwingiliano na madirisha ya mikoa tofauti, mtawalia.
HTTP Strict Transport Security (HSTS)
Mwisho, HSTS ni kipengele cha usalama ambacho kinawalazimisha vivinjari kuwasiliana na seva tu kupitia muunganisho salama wa HTTPS, hivyo kuboresha faragha na usalama.
References
Last updated