[WEB SECURITY] Header Injection Prevention

PortSwigger mail at portswigger.net
Sun Jan 16 14:44:11 EST 2011 

One potential caveat to this statement, which occurred to me later, applies to any reverse proxies that are employed within the application's own hosting infrastructure. If a reverse proxy resides behind an SSL terminator, and performs caching, then it may be a valid target for cache poisoning attacks, and would likely be affected by any header injection vulnerabilities within the application.

Cheers
PortSwigger


On 16 Jan 2011, at 14:54, nagiosnagios nagios wrote:

> Hi List
> 
> According to  "Web application Hacker's Handbook", Page 438
> 
> *"If it is considered unavoidable to insert user-controllable data into
> HTTP headers, the application should employ a twofold defense-in-depth
> approach to prevent any vulnerabilities arising:*
> *■■ Input validation — The application should perform
> context-dependent validation of the data being inserted, in as strict a
> manner as possible. For example, if a cookie value is being set based on
> user input, it may be appropriate to restrict this to alphabetical
> characters only, and a maximum length of six bytes.*
> *
> *
> *■■ Output validation — Every piece of data being inserted into
> headers should be filtered to detect potentially malicious characters. In
> practice, any character with an ASCII code below 0x20 should be regarded
> as suspicious, and the request should be rejected. *
> *
> *
> *Applications can prevent any remaining header injection
> vulnerabilities from being used to poison proxy server caches by using HTTPS
> for all application **content. "*
> 
> 
> How does using HTTPS prevents header
> injection vulnerabilities from poisoning proxy cashes?
> 
> Thanks
> Josh


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

More information about the websecurity mailing list