Skip to content
  • There are no suggestions because the search field is empty.

How do I use header injections in a web assessment?

Header injections allow you to include custom HTTP headers in a web application assessment. This can be useful for bypassing authentication mechanisms, maintaining session state, or interacting with APIs that require specific headers.

Header injection format

Enter header information using the following format:

<Header-Name>: <value>


Examples:

  • Accept: */*

  • Accept: application/json

  • Content-Type: application/json

  • Content-Type: text/plain

You can add multiple headers, and all specified headers will be sent with each request during the scan.

Common use cases

Example 1: Bypass a complex login form using a session cookie

If mwf_login is the session identifier for the application:

Cookie: Name=OskarID1


Example 2: Bypass a login form using a custom session cookie

If example cookie is the session identifier:

Cookie: Example=Example


Example 3: Bypass basic authentication

Authorization: BasicAuth sL092k3YvLk


When an Authorization header is provided, it overrides any basic authentication record configured.