Testing HTTP Header Parameters for SQL Injection: Coverage, Tools, and Best Practices

Input Parameter Coverage in Web Application Scanners

Comparing 60 commercial and open‑source black‑box web scanners shows that while most support GET and POST parameters, about 75% fail to test HTTP headers and many incorrectly handle cookies, highlighting gaps in input‑vector coverage.

Potential SQL Injection via HTTP Headers

HTTP Header Fields

HTTP headers convey request metadata and can be abused as injection points. Example request:

GET / HTTP/1.1
Connection: Keep-Alive
Host: example.com
User-Agent: Mozilla/5.0
Cookie: guest_id=v1%3A1328019064; pid=v1%3A1328839311134

X‑Forwarded‑For

The X-Forwarded-For header often carries the client IP address. If the application stores this value without proper sanitisation, an attacker can inject SQL code.

$req = mysql_query("SELECT user,password FROM admins WHERE user='".sanitize($_POST['user'])."' AND password='".md5($_POST['password'])."' AND ip_adr='".ip_adr()."'");

function sanitize($param){
    if (is_numeric($param)) { return $param; }
    else { return mysql_real_escape_string($param); }
}

function ip_adr() {
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_adr = $_SERVER['HTTP_X_FORWARDED_FOR']; }
    else { $ip_adr = $_SERVER["REMOTE_ADDR"]; }
    if (preg_match("#^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#",$ip_addr)) { return $ip_adr; }
    else { return $_SERVER["REMOTE_ADDR"]; }
}

By sending a crafted header such as GET /index.php HTTP/1.1\nHost: target\nX-Forwarded-For: 127.0.0.1' or 1=1# , an attacker can bypass authentication.

User‑Agent

The User-Agent header may be stored by applications (e.g., in shopping carts). An injection example:

GET /index.php HTTP/1.1
Host: target
User-Agent: aaa' or 1/*

Referer

If the Referer header is saved without filtering, it can also lead to SQL injection:

GET /index.php HTTP/1.1
Host: target
User-Agent: aaa' or 1/*
Referer: http://www.example.com

Manual Cookie Vulnerability Testing

Using browser extensions like Cookies Manager+ or Tamper Data, testers can edit cookie values (e.g., appending a single quote) and observe SQL error messages, confirming injection points.

Automated Testing with Sqlmap

Sqlmap supports testing of GET, POST, Cookie, User‑Agent, and Referer parameters. The -level option controls which vectors are exercised (level 2 for cookies, level 3 adds User‑Agent and Referer). Example command targeting a DVWA instance:

./sqlmap.py -u 'http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit#' \
    --cookie='PHPSESSID=0e4jfbrgd8190ig3uba7rvsip1; security=low' \
    --string='First name' --dbs --level 3 -p PHPSESSID

Scanner Accuracy vs. Input‑Vector Coverage

Using data from sectoolmarket.com, each scanner was scored on detection rate and coverage of the four vectors (GET, POST, Cookie, Headers). The average score combines both metrics, producing a ranking where Arachni, Sqlmap, and IBM AppScan lead with near‑100% coverage and high detection rates.

Rank

Vulnerability Scanner

Vendor

Detection Rate

Input Vector Coverage

Average Score

1

Arachni

Tasos Laskos

100.00%

100%

100.00%

2

Sqlmap

sqlmap developers

97.06%

100%

98.53%

3

IBM AppScan

IBM Security Sys Division

93.38%

100%

96.69%

Additional rows omitted for brevity

Recommendations

For Developers

Treat cookies and other stored HTTP header fields like regular form inputs, applying proper validation and sanitisation.

For Testers

Include HTTP headers—especially Referrer and User‑Agent—in your test matrix, as they can reveal SQL injection or XSS flaws when stored or processed by the application.

Disclaimer: The content is sourced from public internet channels and is provided for reference only; original copyrights belong to the authors.