21 lines
606 B
Plaintext
21 lines
606 B
Plaintext
=== PHASE 5: HTTP HEADER INJECTION ===
|
|
|
|
--- Test: Host header injection ---
|
|
Response: HTTP/2 503 (IIS rejects mismatched Host header)
|
|
Body contains evil.com: 0
|
|
|
|
--- Test: X-Forwarded-Host injection ---
|
|
Response: HTTP/2 200 (normal SPA served, header ignored)
|
|
Body contains evil.com: 0
|
|
|
|
--- Test: X-Forwarded-For bypass ---
|
|
Response: HTTP/2 401 (no IP-based auth bypass)
|
|
|
|
--- Test: CRLF injection (Set-Cookie) ---
|
|
Response: HTTP/2 400 (blocked by HTTP.sys/HTTPAPI 2.0)
|
|
No cookie injected.
|
|
|
|
--- Test: CRLF injection (X-Injected) ---
|
|
Response: HTTP/2 400 (blocked by HTTP.sys/HTTPAPI 2.0)
|
|
No header injected.
|