Home > Website Pentesting

HTTP Protocol Attack Surface

The HTTP protocol defines how clients and servers communicate on the web. Because HTTP is simple, text-based, and highly flexible, attackers can manipulate almost every part of the request/response cycle to exploit weaknesses in parsing, routing, caching, authentication, and state management. Understanding the full HTTP attack surface is essential because many high-impact vulnerabilities originate from incorrect assumptions about how HTTP behaves.

HTTP security is not only about headers and methods—it includes how servers interpret requests, how proxies transform them, how caches store them, and how clients interact with responses.

Core Components of an HTTP Request

A typical HTTP request contains:

METHOD /path?query HTTP/1.1
Host: example.com
Header1: value
Header2: value

Body (optional)

Attackers can manipulate every component:

  • method

  • path

  • query string

  • protocol version

  • headers

  • request body

  • content type

  • encoding

Each part becomes an entry point for attacks.

HTTP Methods as an Attack Surface

GET

No body, but attackers inject payloads in URL, query parameters, or path.

POST

Has a body—used for parameter tampering, JSON injection, bypasses.

PUT, DELETE, PATCH

Often exposed by mistake in APIs. If unprotected:

  • PUT → upload/overwrite files

  • DELETE → remove resources

  • PATCH → modify data

HEAD

Sometimes bypasses logic because it returns no body but still processes logic.

OPTIONS

Reveals allowed methods, CORS policies, and internal details.

TRACE

If enabled, can be used for XST (Cross-Site Tracing) to steal cookies.

WebDAV Methods (PROPFIND, MOVE, COPY)

Enable file manipulation when servers expose WebDAV unintentionally.

HTTP Path and URL Manipulation

Attackers test:

  • encoded characters

  • double encoding

  • path traversal

  • path normalization bypass

  • trailing slashes

  • case sensitivity

  • mixed encoding

Examples:

/admin
/ADMIN
/admin/
/..;/admin
/%2e%2e/admin

Depending on server interpretation, attackers may bypass access control.

Query String Manipulation

Query parameters often contain sensitive values:

?id=
?user=
?file=
?path=
?action=

Attackers modify:

?id=1 → ?id=2

This leads to IDOR and business logic flaws.

Multiple parameters with the same name:

id=1&id=2

Different frameworks interpret these differently.

Header-Based Attack Surface

Host Header Injection

Manipulate:

Host: attacker.com

Used for:

  • password reset poisoning

  • cache poisoning

  • SSRF

  • routing manipulation

X-Forwarded-For (XFF)

Allows IP spoofing:

X-Forwarded-For: 127.0.0.1

Used to bypass IP-based restrictions and rate limits.

Content-Type Manipulation

Tricks the server into parsing input incorrectly:

Content-Type: application/json

or

Content-Type: multipart/form-data

Improper or unexpected types lead to deserialization or injection issues.

User-Agent / Referer Injection

Injected into logs:

User-Agent: <?php system($_GET['cmd']); ?>

Useful for log poisoning.

Accept-Language and Other Minor Headers

Some frameworks trust headers for routing or localization. Attackers abuse this.

Cookie Header Manipulation

Cookies often store:

  • sessions

  • roles

  • settings

Tampering cookies can result in authentication bypass or privilege escalation.

HTTP Body Attack Surface

HTTP bodies can be:

  • form-encoded

  • JSON

  • XML

  • multipart

  • raw binary

Each type has unique attack vectors.

Form-Encoded Bodies

username=mayur&role=user

Modify:

role=admin

JSON Bodies

{"user":"mayur","admin":false}

Modify:

{"user":"mayur","admin":true}

If server does not validate fields → privilege escalation.

XML Bodies (XXE)

<!DOCTYPE root [
<!ENTITY x SYSTEM "file:///etc/passwd">
]>

Multiform Bodies (File Upload Bypass)

Multipart content can bypass:

  • WAF rules

  • content-type validation

  • file extension checks

Attackers manipulate boundaries to sneak in dangerous content.

HTTP Version Attack Surface

Different HTTP versions behave differently:

  • HTTP/1.0

  • HTTP/1.1

  • HTTP/2

  • HTTP/3

Attackers use inconsistencies to trigger smuggling or cache poisoning.

HTTP Request Smuggling

Occurs when proxies and backends parse request boundaries differently.

Example:

Content-Length vs Transfer-Encoding

A small parsing mismatch lets attackers:

  • bypass security

  • poison other users' requests

  • hijack sessions

HTTP/2 Specific Attacks

  • stream multiplexing abuse

  • request folding

  • pseudo-header manipulation

HTTP/2 behavior differs enough to confuse poorly designed backends.

Response Manipulation Attack Surface

Cache Poisoning

Manipulate:

Host:
X-Forwarded-Host:

to poison cached responses served to all users.

CORS Misconfigurations

Responses like:

Access-Control-Allow-Origin: *

allow attackers to read private data via malicious sites.

Content Security Policy (CSP) Weaknesses

Poor CSP allows XSS.

HSTS Misconfigurations

Missing HSTS downgrade attacks to HTTP.

Improper MIME Types

Serving user files as text/html leads to stored XSS.

Chunked Transfer Encoding Manipulation

Chunked encoding allows request smuggling:

Transfer-Encoding: chunked

Attackers exploit differences in chunk interpretation between:

  • proxies

  • load balancers

  • backend servers

Redirect Handling Weaknesses

Open Redirects

Location: http://attacker.com

Attackers can launch phishing or OAuth token theft attacks.

Header Injection in Location

If unescaped user input is used:

Location: /redirect?to=evil

Response splitting or redirect poisoning occurs.

Real-World HTTP Attack Examples

Password Reset URL Poisoning

If server uses Host header:

Host: attacker.com

Password reset link becomes:

http://attacker.com/reset?token=abc

Victim receives attacker-controlled link.

Smuggling Attacks Leading to Admin Access

Manipulated request:

Content-Length: 0
Transfer-Encoding: chunked

Proxy sees one request, backend sees two.

Cache Poisoning via Header Injection

Inject:

X-Forwarded-Host: attacker.com

Cache stores poisoned page for all users.

JSON Parameter Pollution

Attackers inject arrays:

role[]=admin

Framework collapses into:

role=admin

HTTP Downgrade Attacks

Redirecting HTTPS → HTTP to capture credentials on insecure channel.

Why HTTP Has Such a Large Attack Surface

Fundamental reasons:

  • text-based, flexible protocol

  • inconsistent parsing between layers

  • proxy/backend mismatches

  • permissive header system

  • no built-in authentication or integrity

  • multiple parameter parsing styles

  • variable interpretation across frameworks

  • evolving versions cause confusion

HTTP was designed for simplicity, not security. Today, attackers exploit its openness aggressively.

Impact of HTTP-Level Vulnerabilities

HTTP protocol weaknesses enable:

  • authentication bypass

  • privilege escalation

  • cache poisoning

  • SSRF

  • XSS

  • SQLi

  • request smuggling

  • session hijacking

  • phishing

  • data leakage

  • WAF bypass

  • API abuse

Mastering HTTP-level attacks gives attackers powerful control over web applications.

Intel Dump

  • HTTP is highly flexible and attackers manipulate every component: methods, paths, headers, body, and protocol behavior.

  • Common attack surfaces include header injection, host poisoning, XFF spoofing, content-type misuse, CORS misconfigurations, and cookie tampering.

  • Protocol quirks produce high-impact issues like request smuggling, cache poisoning, and downgrade attacks.

  • Methods, encoding, and routing inconsistencies create bypasses across proxies, CDNs, and backends.

  • Impact ranges from account takeover to full application compromise.

HOME LEARN COMMUNITY DASHBOARD