https://github.com/mlcsec/headi

Customisable and automated HTTP header injection
https://github.com/mlcsec/headi

bugbounty golang header-injection

Last synced: about 14 hours ago
JSON representation

Customisable and automated HTTP header injection

• Host: GitHub
• URL: https://github.com/mlcsec/headi
• Owner: mlcsec
• Created: 2020-12-19T13:56:16.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-06-27T11:20:13.000Z (4 months ago)
• Last Synced: 2024-08-01T10:16:56.951Z (3 months ago)
• Topics: bugbounty, golang, header-injection
• Language: Go
• Homepage:
• Size: 37.1 KB
• Stars: 211
• Watchers: 5
• Forks: 50
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-bugbounty-tools - headi - Customisable and automated HTTP header injection. (Exploitation / Header Injection)
• WebHackersWeapons - headi
• awesome-hacking-lists - mlcsec/headi - Customisable and automated HTTP header injection (Go)

README

        
# headi

Customisable and automated HTTP header injection.  Example run from the HTB machine Control:



`InsecureSkipVerify` is not currently configured, if you want to disable security checks then feel free to uncomment `crypto/tls` in the imports and the `TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},` lines in http transport configuration and then build locally.




## Install

```

go install github.com/mlcsec/headi@latest

```

Or from git:

```shell

git clone https://github.com/mlcsec/headi.git

make before.build

make build.headi

sudo mv headi /usr/local/bin

```




## Headers

Injects the following HTTP headers:

* Client-IP

* Connection

* Contact

* Forwarded

* From

* Host

* Origin

* Referer

* True-Client-IP

* X-Client-IP

* X-Custom-IP-Authorization

* X-Forward-For

* X-Forwarded-For

* X-Forwarded-Host

* X-Forwarded-Server

* X-Host

* X-HTTP-Host-Override

* X-Original-URL

* X-Originating-IP

* X-Real-IP

* X-Remote-Addr

* X-Remote-IP

* X-Rewrite-URL

* X-Wap-Profile

An initial baseline request is made to gauge the normal response for the target resource.  Green indicates a change in the response and red no change.  `[+]` and `[-]` respectively.




## Usage

Two options for HTTP header injection:

1. Default payloads (127.0.0.1, localhost, etc.) are injected into the headers mentioned above

2. Custom payloads can be supplied (e.g. you've enumerated some internal IPs or domains) using the `pfile` parameter

```

$ headi

Usage:

  headi -u https://target.com/resource

  headi -u https://target.com/resource -p internal_addrs.txt

Options:

  -p, --pfile        Payload File

  -t, --timeout    HTTP Timeout

  -u, --url           Target URL

```

Currently only takes one URL as input but you can easily bash script for numerous URLs like so:

```

$ for i in $(cat urls); do headi -url $i;done

```