Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Headers Illicit Characters - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
HTTP Headers Illicit Characters
Recently I came across one of our applications with illicit characters in the values of some of the Web Application headers. I am able to write tests for this but I have been unable to find any authoritative document that outlines what characters are or are not allowed in a Web Application Header directive or value.

It would seem that this should be some of the characters in the normal US ASCII table such as A-Z0-9 etc... but I have seen vertical tabs, bell chars etc..

Does anyone know of a good reference?

2 Posts
You can find the standard here:… . RFC 7230 is the most recent HTTP standard and section 3.2.6 defines what is (and is not) allowed in HTTP headers. Johannes

4473 Posts
ISC Handler
First thank you very much try to listen to your POD Cast at 5:00 Houston time.

if I understand the link here:

Then the approved characters in a header directive and/or its value is the US-ASCII visible set here:

However; these values (),/:;<=>?@[\]{} are not allowed in the directive and they must be used as delimiters within the value of the directive unless in comments.

Am I interpreting this correctly?

So even a tilde can be used in a directive legally?

2 Posts

Sign Up for Free or Log In to start participating in the conversation!