Client Side Vulnerabilities / Ajax Request Header Manipulation
Ajax request header manipulation (CWE-20) is a type of client side vulnerability in web and API applications that can be exploited by manipulating the request headers sent from the client. This attack can be used to gain access to restricted resources, bypass authentication or authorization mechanisms, or modify data stored in the application. OWASP Testing Guide V.4 states that application testing should include header manipulation tests to validate that the application is not vulnerable to this type of attack.
The risk associated with this vulnerability is high, as it allows attackers to gain access to sensitive application data or execute unintended actions with malicious intent. If an application is vulnerable to Ajax request header manipulation, attackers can modify HTTP headers, such as the user-agent and referer, to gain access to resources or bypass authentication and authorization mechanisms.
The best way to prevent Ajax request header manipulation is to implement strong input validation and output encoding techniques. The application should also reject requests with invalid or unexpected content-types and should not accept requests with multiple content-types. Additionally, the application should validate that the request headers are from a trusted source and are not spoofed.
The following example shows a malicious request to retrieve user information. The malicious request contains a modified user-agent header that is used to bypass authentication:
GET /users/1 HTTP/1.1 User-Agent: malicious-user-agent