This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Front Range OWASP Conference 2013/Sessions/Sess2 Tech1

Jump to: navigation, search

Adventures in Large Scale HTTP Header Abuse

While the technique of sending malicious data through HTTP Header fields is not new, there is a conspicuous lack of information on the topic.

This presentation explores research and testing results of random auditing of 1.6 million websites. The speaker will address the history of HTTP Header attacks, the logic that went into the creation of an HTTP Header Audit tool, and the most interestingly the findings of the test run.

How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable?

Finally, the presentation will discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities.

Slides Video

Zachary Wolff

Zak is an Advanced R&D Engineer at LogRhythm Labs.
Zak Wolff