headi is a simple HTTP header injection tool written in Go. It automates the process of attempting to bypass forbidden errors on application resources by utilising specific HTTP headers (listed in the following section).
Custom payloads can be provided in order to target internal domains or IPs.
Injected Headers
- Client-IP
- Connection
- Contact
- Forwarded
- From
- Host
- Origin
- Referer
- True-Client-IP
- X-Client-IP
- X-Custom-IP-Authorization
- X-Forward-For
- X-Forwarded-For
- X-Forwarded-Host
- X-Forwarded-Server
- X-Host
- X-HTTP-Host-Override
- X-Original-URL
- X-Originating-IP
- X-Real-IP
- X-Remote-Addr
- X-Remote-IP
- X-Rewrite-URL
- X-Wap-Profile
An initial baseline request is made to gauge the normal response for the target resource. Green indicates a change in the response and red no change, [+] and [-] respectively.
Examples
Two options for injection:
- Default payloads (127.0.0.1, localhost, etc.) are injected into the headers mentioned above
- Custom payloads can be supplied (e.g. you’ve enumerated some internal IPs or domains)
1
2
3
4
5
6
7
8
9
$ headi
Usage:
headi -u https://target.com/resource
headi -u https://target.com/resource -p internal_addrs.txt
Options:
-p, --pfile <file> Payload File
-t, --timeout <millis> HTTP Timeout
-u, --url <url> Target URL
Currently only takes one URL as input but you can easily bash script for numerous URLs like so:
1
$ for i in $(cat urls); do headi -url $i;done
An example is provided below from the HTB machine Control: 