# Special HTTP headers ## Wordlists: * [https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers](https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers) ## Headers to Change Location Rewrite **IP source**: * `X-Originating-IP: 127.0.0.1` * `X-Forwarded-For: 127.0.0.1` * `X-Forwarded: 127.0.0.1` * `Forwarded-For: 127.0.0.1` * `X-Remote-IP: 127.0.0.1` * `X-Remote-Addr: 127.0.0.1` * `X-ProxyUser-Ip: 127.0.0.1` * `X-Original-URL: 127.0.0.1` * `Client-IP: 127.0.0.1` * `True-Client-IP: 127.0.0.1` * `Cluster-Client-IP: 127.0.0.1` * `X-ProxyUser-Ip: 127.0.0.1` * `Connection: close, X-Forwarded-For` \(Check hop-by-hop headers\) Rewrite **location**: * `X-Original-URL: /admin/console` * `X-Rewrite-URL: /admin/console` ## Hop-by-Hop headers A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header. * `Connection: close, X-Forwarded-For` {% page-ref page="../../pentesting-web/abusing-hop-by-hop-headers.md" %} ## HTTP Request Smuggling * `Content-Length: 30` * `Transfer-Encoding: chunked` {% page-ref page="../../pentesting-web/http-request-smuggling.md" %} ## Cache Headers * **`X-Cache`** in the response may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached * **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800` * **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. * **`Age`** defines the times in seconds the object has been in the proxy cache. {% page-ref page="../../pentesting-web/cache-deception.md" %} ## Conditionals * Requests using these headers: `If-Modified-Since` and `If-Unmodified-Since` will be responded with data only if the response header`Last-Modified` contains a different time. * Conditional requests using `If-Match` and `If-None-Match` use an Etag value so the web server will send the content of the response if the data \(Etag\) has changed. The `Etag` is taken from the HTTP response. * The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**. ## Range requests * `Accept-Ranges`: Indicates if the server supports range requests, and if so in which unit the range can be expressed. * `Range`: Indicates the part of a document that the server should return. * `If-Range`: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource. * `Content-Range`: Indicates where in a full body message a partial message belongs. ## Message body information * `Content-Length`**:** The size of the resource, in decimal number of bytes. * `Content-Type`: Indicates the media type of the resource * `Content-Encoding`: Used to specify the compression algorithm. * `Content-Language`: Describes the human language\(s\) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language. * `Content-Location`: Indicates an alternate location for the returned data. From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.** For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests: * A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y` ## Resources * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)