hacktricks/pentesting/pentesting-web/special-http-headers.md

6.1 KiB

Special HTTP headers

Wordlists

Headers to Change Location

Rewrite IP source:

  • X-Originating-IP: 127.0.0.1
  • X-Forwarded-For: 127.0.0.1
  • X-Forwarded: 127.0.0.1
  • Forwarded-For: 127.0.0.1
  • X-Forwarded-Host: 127.0.0.1
  • X-Remote-IP: 127.0.0.1
  • X-Remote-Addr: 127.0.0.1
  • X-ProxyUser-Ip: 127.0.0.1
  • X-Original-URL: 127.0.0.1
  • Client-IP: 127.0.0.1
  • X-Client-IP: 127.0.0.1
  • X-Host: 127.0.0.1
  • True-Client-IP: 127.0.0.1
  • Cluster-Client-IP: 127.0.0.1
  • X-ProxyUser-Ip: 127.0.0.1
  • Via: 1.0 fred, 1.1 127.0.0.1
  • Connection: close, X-Forwarded-For (Check hop-by-hop headers)

Rewrite location:

  • X-Original-URL: /admin/console
  • X-Rewrite-URL: /admin/console

Hop-by-Hop headers

A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.

  • Connection: close, X-Forwarded-For

{% content-ref url="../../pentesting-web/abusing-hop-by-hop-headers.md" %} abusing-hop-by-hop-headers.md {% endcontent-ref %}

HTTP Request Smuggling

  • Content-Length: 30
  • Transfer-Encoding: chunked

{% content-ref url="../../pentesting-web/http-request-smuggling.md" %} http-request-smuggling.md {% endcontent-ref %}

Cache Headers

Server Cache Headers:

  • X-Cache in the response may have the value miss when the request wasn't cached and the value hit when it is cached
  • Cache-Control indicates if a resource is being cached and when will be the next time the resource will be cached again: Cache-Control: public, max-age=1800
  • Vary is often used in the response to indicate additional headers that are treated as** part of the cache key** even if they are normally unkeyed.
  • Age defines the times in seconds the object has been in the proxy cache.

{% content-ref url="../../pentesting-web/cache-deception.md" %} cache-deception.md {% endcontent-ref %}

Local Cache headers:

  • Clear-Site-Data: Header to indicate the cache that should be removed: Clear-Site-Data: "cache", "cookies"
  • Expires: Contains date/time when the response should expire: Expires: Wed, 21 Oct 2015 07:28:00 GMT
  • Pragma: no-cache same as Cache-Control: no-cache
  • Warning: The Warning general HTTP header contains information about possible problems with the status of the message. More than one Warning header may appear in a response. Warning: 110 anderson/1.3.37 "Response is stale"

Conditionals

  • Requests using these headers: If-Modified-Since and If-Unmodified-Since will be responded with data only if the response header**Last-Modified** contains a different time.
  • Conditional requests using If-Match and If-None-Match use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The Etag is taken from the HTTP response.
    • The **Etag **value is usually **calculated based **on the **content **of the response. For example, ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI" indicates that the Etag is the **Sha1 **of 37 bytes.

Range requests

  • Accept-Ranges: Indicates if the server supports range requests, and if so in which unit the range can be expressed. Accept-Ranges: <range-unit>
  • Range: Indicates the part of a document that the server should return.
  • If-Range: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
  • Content-Range: Indicates where in a full body message a partial message belongs.

Message body information

  • **Content-Length: **The size of the resource, in decimal number of bytes.
  • Content-Type: Indicates the media type of the resource
  • Content-Encoding: Used to specify the compression algorithm.
  • Content-Language: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
  • Content-Location: Indicates an alternate location for the returned data.

From a pentest point of view this information is usually "useless", but if the resource is **protected **by a 401 or 403 and you can find some **way **to **get **this info, this could be **interesting. **
****For example a combination of Range and Etag in a HEAD request can leak the content of the page via HEAD requests:

  • A request with the header Range: bytes=20-20 and with a response containing ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y" is leaking that the SHA1 of the byte 20 is ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y

Server Info

  • Server: Apache/2.4.1 (Unix)
  • X-Powered-By: PHP/5.3.3

Controls

  • **Allow: **Lists the set of methods supported by a resource. Allow: GET, POST, HEAD
  • Expect: The Expect HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request.
    • No other expectations except Expect: 100-continue are specified currently. Informs recipients that the client is about to send a (presumably large) message body in this request and wishes to receive a 100 (Continue) interim response.

Downloads

  • Content-Disposition: In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.
    • Content-Disposition: attachment; filename="filename.jpg"

Resources