2

I have been struggling to replicate an issue we are facing in Production. The clients are sending multiple headers with the same name via a cookie and we are trying to troubleshoot the same via CURL. The intent is to send TWO header values for the same header name so that the application (below as myhost) can intercept it via this curl attempt. However, when I attempt something like this, the server, the "x-targetted-group" value doesn't resolve. IF I send TWO headers using -H "X-targetted-group:Group1" - "x-targetted-group:Group2", the server only gets the first one. How can i send both ?

curl -i -H "Accept: application/json" -H "x-targetted-group:Group1,Group2"  https://myhost:8990/"
Improve this question

3 Answers 3

Reset to default
1

curl won't let you. So answer is you can't. Later version of wget won't either.

If you want to experiment with odd possibly malformed HTTP requests, you can just craft your own - it's all just plain text. Example using netcat:

> cat request.txt # I.e. the contents of the file request.txt is:
GET /
Accept: application/json
X-targetted-group: Group1
X-targetted-group: Group2

> nc myhost 8990 <request.txt

The HTTP spec says lines have to end in CRLF (\r\n) so the above might not be accepted by your server unless the text file request.txt uses CRLF line termination (there is an option for saving like that in text editors ..).

Aside: What HTTP spec says about multiple headers with the same name (they are allowed):

Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Unfortunately the HTTP spec for this is incomprehensible without an example.
1

I used to perform a lot of bad queries syntax attacks on HTTP servers. By definition, curl or wget won't let you do much bad syntax work.

You should try to use low level netcat + printf.

With printf, you write your HTTP query, and netcat will manage the socket connection (for ssl connections you can replace netcat with openssl_client).

That would look like (for a basic query):

printf 'GET /my/url?foo=bar HTTP/1.1\r\n'\
'Host: www.example.com\r\n'\
'\r\n'\
| nc -q 2 127.0.0.1 80

And for a more complex one (repeated header & old ops-fold header syntax, not also how to write a %character in printf):

printf 'GET /my/url?foo=bar&percent_char=%% HTTP/1.1\r\n'\
'Host: www.example.com\r\n'\
'x-foo-header: value1\r\n'\
'x-foo-header: value2\r\n'\
'x-foo-header: value3, value4\r\n'\
'x-foo-header:\t\tval5\r\n'\
' val6\r\n'\
'User-agent: tests\r\n'\
'\r\n'\
| nc -q 2 127.0.0.1 80

Once you get used of it it's a pleasure, no limitations.

Improve this answer

Comments

-1

This is a limitation of the HTTP protocol itself. You are not allowed to send multiple headers with the same name unless they are sent in the same key as a comma separated list of values. Take a look at this answer.

Improve this answer

3 Comments

that is what i was trying to do (its the answer I looked at) . "One somewhat "plausible" scenario comes to mind: When the HTTP request is passing through a proxy, the proxy might simply tack on another header (say, an X-Forwarded-For, or an extra Accept-Encoding), rather than determine if a header already exists, then parse and modify it accordingly.". Am looking to construct this format in curl (unless I'm misreading something here). How would I do that?
-H "x-targetted-group:Group1,Group2"
Ah OK. In that case that is the correct way to send the request using curl, so i doubt its an issue with curl. Even though the http spec specifies this is possible - it is upto the individual server implementations to allow this. So either your server or a proxy might not be allowing this - especially for custom headers.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.