Skip to content

Configurable Header Injection Analyzer

Configuration Name: ConfigurableHeaderInjection

Description

The ConfigurableHeaderInjection analyzer sends user-specified strings in the HTTP headers of a request. This enables users of Sift to configure specific attack vectors in an analysis run.

Configuration Parameters

The ConfigurableHeaderInjection analyzer requires configuration of one or more attack rules comprised of a set of attack strings and an associated severity.

  • attacks: list of attack rules

Each attack rule in the attacks list is an object with three fields:

  • name: Name of a rule used to identify any faults reported by the analyzer.
  • file: Path of a file on the local filesystem that contains attack strings.
  • injectionStrings: List of attack strings given in the configuration directly.
  • severity: Severity to be reported in a finding if the rule fails. One of "high", "medium", or "low".
  • header: Name of the header in which to inject an attack string from the file. For example, attack string may be transmitted in HTTP header User-Agent.

If specified, the value of file must be a filename that contains a list of attack strings, one per line.

attackString1
attackString2
attackString3
...
attackStringN

If both file and injectionStrings are given, then the list of attack vectors is the combined list of strings found in both.

Faults Reported

The name and severity configuration fields of an attack rule are used when reporting a finding for a detected fault. The name parameter will be included in the title of the fault. The severity field will assign the severity the fault.

Fault Identifier Title Summary Solution Severity
SIF-101 User Header Injection - {name} A user-specified string was used as an attack vector in the HTTP Header of an operation. API implementation should properly sanitize inputs. API should respond with a client error for an invalid header value. {severity} as configured