cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
Header injection attempts signal illustration
Annotator hdrinj

Header injection attempts

Input patterns suggest attempts to manipulate headers or downstream header parsing.

Attack family · Header injection and intermediary confusion Phase · Reconnaissance and exploit staging Risk · High
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Header-structure manipulation and delimiter abuse
  • Proxy and downstream parsing confusion patterns
  • Smuggling-adjacent and cache/proxy edge header anomalies
Logic
  • The annotator deduplicates by rule and keeps the strongest header finding.
  • It is most valuable around reverse proxies, caches, and layered application stacks.
  • Signals are grouped so one malformed request does not explode into noisy duplicates.
Attack Family
Header injection and intermediary confusion
Phase · Reconnaissance and exploit staging Risk · High
Headers are where browsers, proxies, CDNs, caches, WAFs, and applications negotiate reality. If an attacker can confuse that layer, they can sometimes split one request into multiple interpretations.
Damage Patterns
  • Header manipulation can contribute to cache poisoning, request smuggling style behavior, auth confusion, and proxy bypasses.
  • The damage is especially sharp in layered stacks where each hop parses the same bytes differently.
Incident Lore
  • Some of the most technically elegant web attacks have come from tiny header ambiguities that turned shared infrastructure against itself.
  • These incidents tend to hurt badly because they hide in the seams between teams: CDN, proxy, app, and platform.
How To Read It
Interpret this as an attempt to manipulate how intermediaries or the app parse request headers.
Defender Takeaway
Treat this as a stack-boundary signal. The attacker is testing whether your intermediaries agree on what the request means.
Catalog Definition
Flags indicators consistent with header injection or header-structure manipulation, such as suspicious delimiter/control-character patterns and payloads aimed at confusing proxies or application parsing. This can be relevant to cache/proxy edge behavior and request smuggling-adjacent classes. Present evidence carefully (avoid excessive payload disclosure) and interpret with endpoint and repetition context.

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W15
Lookback
30 days
Total matched
14
Latest sample
Apr 05, 2026 • 14:36
Top rules
hdrinj:encoded_newline · 10
Top requester orgs
FranTech Solutions · 6 Vietnam Posts and Telecommunications Group · 1 Alibaba.com Singapore E-Commerce Private Limited · 1
Severity mix
24 · 10
Method mix
GET · 8 POST · 2
GET 404 24
Apr 05, 2026 • 14:36
/manage/webshell/u?_=5621298674064&h=15&k=%0A&l=62&s=5&w=218
Encoded newline detected (%0d/%0a)
IP 113.167.38.37 Subnet 113.167.38.0/24 Org Vietnam Posts and Telecommunications Group Country Vietnam Rule hdrinj:encoded_newline
GET 404 24
Mar 31, 2026 • 13:35
/cgi-bin/kerbynet?Action=StartSessionSubmit&PW=&User=%27%0Acat+%2Fetc%2Fpasswd%0A%27
Encoded newline detected (%0d/%0a)
IP 8.217.183.111 Subnet 8.217.183.0/24 Org Alibaba.com Singapore E-Commerce Private Limited Country Hong Kong Rule hdrinj:encoded_newline
GET 404 24
Mar 27, 2026 • 07:57
/cgi-bin/kerbynet?Action=StartSessionSubmit&PW&User=%27%0Acat+%2Fetc%2Fpasswd%0A%27
Encoded newline detected (%0d/%0a)
IP 201.224.201.76 Subnet 201.224.201.0/24 Org Cable & Wireless Panama Country Panama Rule hdrinj:encoded_newline
GET 404 24
Mar 26, 2026 • 17:09
/hsqldb%0A
Encoded newline detected (%0d/%0a)
IP 177.152.83.59 Subnet 177.152.83.0/24 Org Iwnet Telecom Ltda ME Country Brazil Rule hdrinj:encoded_newline
GET 301 24
Mar 23, 2026 • 21:34
/404%0dnew-header:value%0da:
Encoded newline detected (%0d/%0a)
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule hdrinj:encoded_newline
GET 404 24
Mar 23, 2026 • 19:53
/404%0dnew-header:value%0da:
Encoded newline detected (%0d/%0a)
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule hdrinj:encoded_newline
GET 301 24
Mar 22, 2026 • 02:43
/hsqldb%0a
Encoded newline detected (%0d/%0a)
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule hdrinj:encoded_newline
GET 404 24
Mar 21, 2026 • 17:44
/hsqldb%0a
Encoded newline detected (%0d/%0a)
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule hdrinj:encoded_newline
POST 301 24
Mar 18, 2026 • 21:53
/.%0d./.%0d./.%0d./.%0d./bin/sh
Encoded newline detected (%0d/%0a)
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule hdrinj:encoded_newline
POST 404 24
Mar 18, 2026 • 20:22
/.%0d./.%0d./.%0d./.%0d./bin/sh
Encoded newline detected (%0d/%0a)
IP 107.189.16.114 Subnet 107.189.16.0/24 Org FranTech Solutions Country Netherlands Rule hdrinj:encoded_newline