What is it?

Manual HTTP header manipulation involves manually modifying HTTP headers in requests or responses. This can be done by using tools such as Burp Suite to intercept and modify requests or responses. This type of attack can lead to various security issues such as bypassing security controls, performing cross-site scripting (XSS) attacks, HTTP response splitting, and cache poisoning.

Example

Here is a simple example of a manual HTTP header manipulation attack:

             // Original HTTP request
             GET / HTTP/1.1
             Host: www.example.com
             User-Agent: Mozilla/5.0
     
             // Modified HTTP request
             GET /admin HTTP/1.1
             Host: www.example.com
             User-Agent: Mozilla/5.0
             Cookie: admin=true
             

In this example, the attacker modifies the request to access the /admin page and sets the "admin" cookie to "true".

Prevention

Preventing manual HTTP header manipulation involves proper input validation, sanitization, and setting security-related headers. This includes:

• Input validation: Validate user input by only accepting expected values.
• Use allow lists: Only allow known good input to pass through.
• Sanitize input: Remove or replace special characters from user input.
• Set security-related headers: Headers like Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security can help prevent attacks.