Header Injection Prevention

TL;DR

Header injection happens when an attacker can control HTTP headers sent by your server. This lets them potentially redirect users, inject malicious content, or perform other attacks. We’ll cover how to identify and fix this vulnerability.

1. Understanding the Problem

Your web application likely takes user input (e.g., from forms, cookies, or URL parameters) and uses it in HTTP headers. If this input isn’t properly sanitised, an attacker can inject their own header values. For example, if your code does something like:

header('Location: ' . $_GET['redirect_url']);

An attacker could set ?redirect_url=http://evil.com to redirect users to a malicious site.

2. Identifying Header Injection Vulnerabilities

1. Review Code: Look for places where user input is directly used in header functions (e.g., header(), setcookie(), or similar).
2. Manual Testing: Try injecting special characters and values into input fields that might affect headers. Common payloads include:
   • Newlines (%0A or rn) to create multiple headers.
   • Carriage returns (%0D)
   • Colon (:) to inject new header names.
   • URLs for redirection attempts.
3. Automated Scanners: Use web application security scanners like OWASP ZAP or Burp Suite to automatically detect potential header injection vulnerabilities.

3. Preventing Header Injection

1. Input Validation: The most important step! Strictly validate all user input before using it in headers.
   • Whitelisting: Only allow known, safe characters or values. For example, if you expect a URL, check that it’s a valid URL format and matches an allowed domain.
   • Blacklisting (less effective): Avoid specific dangerous characters like newlines, carriage returns, and colons. Blacklisting is harder to get right as attackers can often find ways around it.
2. Output Encoding: Encode any user-supplied data before including it in headers.
   • Use functions like urlencode() for URLs or other appropriate encoding methods based on the header type.
3. HTTPOnly Cookies: Set the HttpOnly flag on cookies to prevent client-side scripts from accessing them, reducing the risk of cookie-based injection attacks.

   setcookie('session_id', 'value', ['httponly' => true]);

4. Content Security Policy (CSP): Implement a strong CSP to control which resources your web application is allowed to load, mitigating the impact of injected scripts.
5. Use Framework Features: Modern web frameworks often provide built-in protection against header injection. Use these features whenever possible.

4. Example Fix

Instead of directly using user input in the Location header, validate it first:

$redirect_url = $_GET['redirect_url'] ?? '';
if (filter_var($redirect_url, FILTER_VALIDATE_URL) && strpos(strtolower($redirect_url), 'evil.com') === false) {
  header('Location: ' . $redirect_url);
} else {
  // Handle invalid URL - redirect to a safe page or show an error.
  header('Location: /safe_page.php');
}

This example checks if the input is a valid URL and doesn’t contain ‘evil.com’. If either check fails, it redirects to a safe page.