Hacktricks-skills pentest-hop-by-hop-headers
Use this skill whenever testing web applications for HTTP header vulnerabilities, proxy misconfigurations, or when investigating hop-by-hop header handling issues. Trigger this skill for any pentesting task involving HTTP headers, X-Forwarded-For manipulation, cache poisoning, or proxy bypass techniques. Don't forget to use this skill when the user mentions headers, proxies, HTTP security testing, or web application penetration testing.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/pentesting-web/abusing-hop-by-hop-headers/SKILL.MDHop-by-Hop Header Abuse Testing
This skill helps you test for vulnerabilities related to HTTP hop-by-hop headers. These headers are meant to be removed by proxies but misconfigurations can lead to security issues like access control bypass and cache poisoning.
What Are Hop-by-Hop Headers?
Hop-by-hop headers are specific to a single transport-level connection and should not be forwarded by proxies. Standard hop-by-hop headers include:
Keep-AliveTransfer-EncodingTEConnectionTrailerUpgradeProxy-AuthorizationProxy-Authenticate
Additional headers can be designated as hop-by-hop via the
ConnectionConnection: close, X-Custom-HeaderWhy This Matters
Proxies are expected to remove hop-by-hop headers before forwarding requests. When they don't, or when they incorrectly handle headers marked as hop-by-hop, attackers can:
- Bypass access controls by manipulating headers like
X-Forwarded-For - Poison caches by injecting session-specific content
- Spoof client identity to appear as trusted sources
Testing Methodology
Step 1: Identify the Target
Determine if the target uses proxies, load balancers, or caching layers. Look for:
- Multiple
headers in responsesX-Forwarded-*
headers indicating proxy chainsVia- Caching headers like
,Cache-Control
,ETagLast-Modified
Step 2: Test Header Handling
Use the provided scripts to test how the target handles hop-by-hop headers:
# Test basic hop-by-hop header handling python scripts/test_hop_by_hop.py --url "https://target.com" --headers "X-Custom-Test" # Test X-Forwarded-For bypass python scripts/test_xff_bypass.py --url "https://target.com" --spoof-ip "10.0.0.1"
Step 3: Analyze Responses
Compare responses with and without hop-by-hop header manipulation. Look for:
- Different content based on header values
- Access control changes
- Cache behavior differences
Attack Scenarios
Scenario 1: X-Forwarded-For Bypass
Goal: Bypass IP-based access controls by manipulating the
X-Forwarded-ForHow it works:
- Send a request with a spoofed IP in
X-Forwarded-For - Add
to mark it as hop-by-hopConnection: close, X-Forwarded-For - If the proxy forwards the request without the header, the backend may see the request as coming from a trusted proxy
Example request:
GET /admin HTTP/1.1 Host: target.com Connection: close, X-Forwarded-For X-Forwarded-For: 10.0.0.1
What to look for:
- Access granted when it should be denied
- Different response content based on spoofed IP
- Backend treating the request as from a trusted source
Scenario 2: Cache Poisoning
Goal: Inject malicious content into a cache by exploiting hop-by-hop header handling.
How it works:
- Send a request with a header that should be hop-by-hop (e.g.,
)Cookie - Mark it as hop-by-hop via
Connection: close, Cookie - If the cache incorrectly caches the response, other users receive your session-specific content
Example request:
GET /api/user HTTP/1.1 Host: target.com Connection: close, Cookie Cookie: session=attacker-session-id
What to look for:
- Cached responses containing session-specific data
- Other users receiving your tailored content
- Inconsistent responses for the same URL
Scenario 3: Header Injection
Goal: Inject custom headers that bypass security controls.
How it works:
- Identify a header the application trusts (e.g.,
,X-Is-Admin
)X-Role - Mark it as hop-by-hop and inject a malicious value
- If the proxy forwards it, the backend may grant elevated privileges
Example request:
GET /api/data HTTP/1.1 Host: target.com Connection: close, X-Is-Admin X-Is-Admin: true
Practical Testing Commands
Using curl
# Test X-Forwarded-For bypass curl -v "https://target.com/admin" \ -H "Connection: close, X-Forwarded-For" \ -H "X-Forwarded-For: 10.0.0.1" # Test cache poisoning curl -v "https://target.com/api/user" \ -H "Connection: close, Cookie" \ -H "Cookie: session=test123" # Test custom header injection curl -v "https://target.com/api/data" \ -H "Connection: close, X-Is-Admin" \ -H "X-Is-Admin: true"
Using the Test Scripts
# Run comprehensive hop-by-hop tests python scripts/test_hop_by_hop.py \ --url "https://target.com" \ --headers "X-Forwarded-For,X-Is-Admin,X-Role" \ --output results.json # Test specific bypass scenario python scripts/test_xff_bypass.py \ --url "https://target.com/admin" \ --spoof-ip "192.168.1.1" \ --trusted-range "10.0.0.0/8"
Interpreting Results
Positive Indicators (Vulnerability Found)
- Response changes when hop-by-hop headers are manipulated
- Access control bypass successful
- Cache contains session-specific content
- Backend trusts injected header values
Negative Indicators (No Vulnerability)
- Consistent responses regardless of header manipulation
- Proxies correctly strip hop-by-hop headers
- Backend validates headers properly
Reporting Findings
When documenting hop-by-hop header vulnerabilities:
- Include the exact request that triggered the vulnerability
- Show the response difference between normal and manipulated requests
- Explain the impact (e.g., "allows bypass of IP-based access control")
- Provide remediation (e.g., "configure proxy to properly strip hop-by-hop headers")
Common Misconfigurations
- Proxies that don't strip headers listed in
Connection - Caches that include hop-by-hop headers in cache keys
- Backends that trust
headers without validationX-Forwarded-* - Load balancers that forward all headers without filtering
References
- RFC 2616 Section 13.5.1 - Hop-by-hop headers
- Original Research - Abusing HTTP hop-by-hop request headers
- OWASP Header Injection - Related testing guidance