Header injection
Header injection is a class of security vulnerabilities in web applications that occur when the headers of a protocol are dynamically generated with the addition of insufficiently checked user input.
Header injection in HTTP can e.g. B. lead to HTTP response splitting and cross-site scripting . When dynamically creating emails via a web application, a header injection attack can be used to enter other recipients in an email. B. Send spam ( e-mail injection ).
example
A website has a form with input fields for subject and message that visitors can use to write to the operator. A server-side script then builds the e-mail message from the transmitted data and sends it to a predefined address. The resulting email message then looks like B. looks like this:
Subject: Betreff From: besucher@some.example.com To: webmaster@some.example.com
Nachricht
If an attacker enters the character string Carriage Return and Linefeed as well as the subject in the input field of the form BCC: user1@another.example.com, user2@another.example.com, …and the script transfers these entries into the e-mail message without checking :
Subject: Spam BCC: user1@another.example.com, user2@another.example.com, … From: besucher@some.example.com To: webmaster@some.example.com
Spam
The e-mail is also sent as a blind copy to User1, User2,….
Since a spammer is not interested in the server's response to the sending of the e-mail form, he can hide behind IP spoofing . The server administrator then sees in his log file that every spam mail was sent from a different IP address. The spammer remains completely anonymous.
Since the webmaster also receives a copy of the spam, he will close this security gap as soon as possible.
Countermeasures
To prevent header injection, user input must be carefully checked, especially for the metacharacters that apply depending on the context .
As a rule, the individual header fields are separated by the line break sequence CRLF . It is therefore important to filter out or mask these in user input. With HTTP and SMTP , masking is done e.g. For example, URL coding is used, and Quoted Printable coding is also used for SMTP .
PHP
In the widely used PHP scripting language , since versions 4.4.2 and 5.1.2, injection via the headerfunction has been automatically prevented by only allowing one HTTP header per function call . With the mailfunction, however, this still has to be saved manually.
Individual evidence
-
↑ Reference
header()page of the function of the PHP manual -
↑ Reference
mail()page of the function of the PHP manual
Web links
- HTTP Request Smuggling (English)
- HTTP Response Smuggling (English)