Release: headi

less than 1 minute read

headi is a simple HTTP header injection tool written in Go. It automates the process of attempting to bypass forbidden errors on application resources by utilising specific HTTP headers (listed in the following section).

Custom payloads can be provided in order to target internal domains or IPs.

Injected Headers

  • Client-IP
  • Connection
  • Contact
  • Forwarded
  • From
  • Host
  • Origin
  • Referer
  • True-Client-IP
  • X-Client-IP
  • X-Custom-IP-Authorization
  • X-Forward-For
  • X-Forwarded-For
  • X-Forwarded-Host
  • X-Forwarded-Server
  • X-Host
  • X-HTTP-Host-Override
  • X-Original-URL
  • X-Originating-IP
  • X-Real-IP
  • X-Remote-Addr
  • X-Remote-IP
  • X-Rewrite-URL
  • X-Wap-Profile

An initial baseline request is made to gauge the normal response for the target resource. Green indicates a change in the response and red no change, [+] and [-] respectively.


Two options for injection:

  1. Default payloads (, localhost, etc.) are injected into the headers mentioned above
  2. Custom payloads can be supplied (e.g. you’ve enumerated some internal IPs or domains)
$ headi
  headi -u
  headi -u -p internal_addrs.txt

  -p, --pfile <file>       Payload File
  -t, --timeout <millis>   HTTP Timeout
  -u, --url <url>          Target URL

Currently only takes one URL as input but you can easily bash script for numerous URLs like so:

$ for i in $(cat urls); do headi -url $i;done

An example is provided below from the HTB machine Control: