Noteworthy HTTP Headers: Each HTTP cycle also includes headers in both the client request and the server response that transmit details about the request or response.
There are several of these headers, but we are only concerned with a few that are most applicable to our approach covered in this website.
The headers that we are concerned about that are set by the web server and sent to the client’s browser as a part of the response cycle are:
- Set-Cookie: This header most commonly provides the session identifier (cookie) to the client to ensure the user’s session stays current. If a hacker can steal a user’s session (by leveraging attacks covered in later articles), they can assume the identity of the exploited user within the application.
- Content-Length: This header’s value is the length of the response body in bytes. This header is helpful to hackers because you can look for variation in the number of bytes of the response to help decipher the application’s response to input. This is especially applicable when conducting brute force (repetitive guessing) attacks.
- Location: This header is used when an application redirects a user to a new page. This is helpful to a hacker because it can be used to help identify pages that are only allowed after successfully authenticating to the application, for example.
The headers that you should know more about that are sent by the client’s browser as part of the web request are:
- Cookie: This header sends the cookie (or several cookies) back to the server to maintain the user’s session. This cookie header value should always match the value of the set-cookie header that was issued by the server. This header is helpful to hackers because it may provide a valid session with the application that can be used in attacks against other application users. Other cookies are not as juicy, such as a cookie that sets your desired language as English.
- Referrer: This header lists the webpage that the user was previously on when the next web request was made. Think of this header as storing the “the last page visited” This is helpful to hackers because this value can be easily changed. Thus, if the application is relying on this header for any sense of security, it can easily be bypassed with a forged value.