TaintedHeader
Potential header injection. This rule is emitted when user-controlled input can be passed into an HTTP header.
Risk
The risk of a header injection depends hugely on your environment.
If your webserver supports something like XSendFile
/ X-Accel
, an attacker could potentially access arbitrary files on the systems.
If your system does not do that, there may be other concerns, such as:
- Cookie Injection
- Open Redirects
- Proxy Cache Poisoning
Example
<?php
header($_GET['header']);
Mitigations
Make sure only the value and not the key can be set by an attacker. (e.g. header('Location: ' . $_GET['target']);
)
Verify the set values are sensible. Consider using an allow list. (e.g. for redirections)