mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-29 14:33:10 +00:00
5.8 KiB
5.8 KiB
Special HTTP headers
Wordlists
Headers to Change Location
Rewrite IP source:
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Via: 1.0 fred, 1.1 127.0.0.1
Connection: close, X-Forwarded-For
Check hop-by-hop headers
Rewrite location:
X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console
Hop-by-Hop headers
A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.
Connection: close, X-Forwarded-For
{% page-ref page="../../pentesting-web/abusing-hop-by-hop-headers.md" %}
HTTP Request Smuggling
Content-Length: 30
Transfer-Encoding: chunked
{% page-ref page="../../pentesting-web/http-request-smuggling.md" %}
Cache Headers
Server Cache Headers:
X-Cache
in the response may have the valuemiss
when the request wasn't cached and the valuehit
when it is cachedCache-Control
indicates if a resource is being cached and when will be the next time the resource will be cached again:Cache-Control: public, max-age=1800
Vary
is often used in the response to indicate additional headers that are treated as part of the cache key even if they are normally unkeyed.Age
defines the times in seconds the object has been in the proxy cache.
{% page-ref page="../../pentesting-web/cache-deception.md" %}
Local Cache headers:
Clear-Site-Data
: Header to indicate the cache that should be removed:Clear-Site-Data: "cache", "cookies"
Expires
: Contains date/time when the response should expire:Expires: Wed, 21 Oct 2015 07:28:00 GMT
Pragma: no-cache
same asCache-Control: no-cache
Warning
: TheWarning
general HTTP header contains information about possible problems with the status of the message. More than oneWarning
header may appear in a response.Warning: 110 anderson/1.3.37 "Response is stale"
Conditionals
- Requests using these headers:
If-Modified-Since
andIf-Unmodified-Since
will be responded with data only if the response header**Last-Modified
** contains a different time. - Conditional requests using
If-Match
andIf-None-Match
use an Etag value so the web server will send the content of the response if the dataEtag
has changed. TheEtag
is taken from the HTTP response.- The Etag value is usually calculated based on the content of the response. For example,
ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"
indicates that theEtag
is the Sha1 of 37 bytes.
- The Etag value is usually calculated based on the content of the response. For example,
Range requests
Accept-Ranges
: Indicates if the server supports range requests, and if so in which unit the range can be expressed.Accept-Ranges: <range-unit>
Range
: Indicates the part of a document that the server should return.If-Range
: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.Content-Range
: Indicates where in a full body message a partial message belongs.
Message body information
Content-Length
: The size of the resource, in decimal number of bytes.Content-Type
: Indicates the media type of the resourceContent-Encoding
: Used to specify the compression algorithm.Content-Language
: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.Content-Location
: Indicates an alternate location for the returned data.
From a pentest point of view this information is usually "useless", but if the resource is protected by a 401 or 403 and you can find some way to get this info, this could be interesting.
For example a combination of Range
and Etag
in a HEAD request can leak the content of the page via HEAD requests:
- A request with the header
Range: bytes=20-20
and with a response containingETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"
is leaking that the SHA1 of the byte 20 isETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y
Server Info
Server: Apache/2.4.1 (Unix)
X-Powered-By: PHP/5.3.3
Controls
Allow
: Lists the set of methods supported by a resource.Allow: GET, POST, HEAD
Expect
: TheExpect
HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request.- No other expectations except
Expect: 100-continue
are specified currently. Informs recipients that the client is about to send apresumably large
message body in this request and wishes to receive a100
Continue
interim response.
- No other expectations except
Downloads
Content-Disposition
: In a regular HTTP response, theContent-Disposition
response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.Content-Disposition: attachment; filename="filename.jpg"