Method & Headers
TRACE Method
The web server responds to TRACE method requests by echoing the received request.
Security implication
This can reveal sensitive information, like internal authentication headers added by reverse proxies, such as an authorization header.
X-Forwarded-For
$_SERVER['REMOTE_ADDR']contains actual physical IP address that the web server received the connection from and that the response will be sent to.$_SERVER['HTTP_X_FORWARDED_FOR']this value is easily spoofed.
Security implication
Use it to check some reflected parameter that contains your IP
Use it to bypass controls that are placed on your IP (ex. rate limit)
X-Forwarded-Host
The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP request header.
Security implication
Test this header when you need to verify a link generated by the application. For example, a password reset email might contain a link like https://website.com/reset-password?token=<token>. By modifying this header, you can control "website.com".
X-Original-URL / X-Rewrite-URL
Some applications support non-standard headers such these in order to allow overriding the target URL in requests with the one specified in the header value.
Security implication
This behavior can be used when access control is based on the request URL.
Referrer-Policy
The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests.
Aside from the HTTP header, you can set this policy in HTML.
Security implication
Bypass validation CSRF attack when an application use referer header to defende against CSRF attacks
https://github.com/francescovolpe/Offensive-Security-Notes/blob/main/WAPT/Vulnerabilities/CSRF%20(Cross-site%20request%20forgery).md#referer-based-validation-bypass
Last updated