I am currently conducting a pentest and I found an application vulnerable to http header injection, where the user input is reflected after the Content-Type
header, and the Content-Type
is set to application/force-download
. That is, the attacker can pass content in the GET parameter that is then reflected in the header. Imagine a request like so:
/vulnerable_application?param=reflected-header_malicious_payload
Which then yields a reponse like so:
HTTP/1.1 200 OK
Date: Wed, 06 Nov 2019 22:14:22 GMT
Server: [...]
Content-Length: 2
Content-Type: application/force-download; charset=UTF-16
Content-Disposition: attachment; filename=reflected-header_malicious_payload
Connection: close
I am trying to asses the severity of this finding, in particular whether it would allow for an reflected XSS attack. It seems to me that there is no way to get around the Content-Type: application/force-download
which leads me to believe that the severity is pretty low.