From the course: Threat Modeling: Tampering in Depth
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Headers: Injection and order
From the course: Threat Modeling: Tampering in Depth
Headers: Injection and order
- [Instructor] Message headers present another interesting opportunity for tampering, often called header injection. Some message headers are outside of what's signed and protected because they're added by servers after the signature is generated. At the top, a mail server is pre-pending data about the path the message is taking. It shouldn't remove the old signature, but add details and then maybe sign again. You can inject completely new headers or you can duplicate headers that are already in the message. For example, what if I put some fake date headers on an email message? I'm moving it either to the future or the past. Will the extra header be shown as the actual date of the email? It's hard to predict how a given server will parse headers, it's hard to predict how a given client will parse the headers, but it's easy to predict that they won't always be the same. Some software will parse the headers looking for…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.