HIGH header injectionaspnethmac signatures

Header Injection in Aspnet with Hmac Signatures

Scan for header injection in aspnet

Header Injection in Aspnet with Hmac Signatures — how this specific combination creates or exposes the vulnerability

Header Injection in ASP.NET occurs when untrusted input is reflected into HTTP headers without validation or encoding. When HMAC signatures are used to authenticate requests, an attacker may attempt to inject additional headers (e.g., X-Forwarded-For, Authorization, or custom headers) to bypass signature validation or influence server behavior. Because HMAC signatures are typically computed over a subset of headers and the request payload, injected headers that are not included in the signature can change server logic without invalidating the signature.

In ASP.NET, this often manifests when developer code builds headers dynamically (for example, forwarding or logging headers) and concatenates user-controlled values without strict allowlists. If the server uses a header value in routing, content negotiation, or security decisions, the injected header can trigger SSRF, cache poisoning, or security logic bypass. Even when HMAC validates the request integrity, the server may still process malicious injected headers before signature checks are applied, depending on the order of middleware and the scope of what is signed.

Consider a scenario where an API expects an X-Request-ID header and signs a subset of headers with HMAC. An attacker sends:

X-Request-ID: abc123
X-Forwarded-For: 127.0.0.1
X-Signature: ...

If the server reads X-Forwarded-For to determine the client IP and uses that in business logic (e.g., rate limiting or tenant resolution) without including it in the HMAC, the attacker can influence internal behavior while the signature remains valid. This combination therefore exposes the application to logic bypasses and request manipulation despite the presence of HMAC signatures.

Hmac Signatures-Specific Remediation in Aspnet — concrete code fixes

To mitigate Header Injection when using HMAC signatures in ASP.NET, ensure strict header allowlisting, canonicalize the signed string exactly as verified, and avoid using potentially mutable or injected headers for server-side decisions. The following practices and code examples focus on .NET 6+ minimal APIs and common HMAC patterns.

1) Canonicalize signed headers and reject unexpected headers

Define an allowlist of headers that can be signed and are safe to use. Reject requests that contain unexpected headers, or at least do not use them for routing or security decisions.

using System.Security.Cryptography;
using System.Text;

var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();

string[] allowedSignedHeaders = [ "x-request-id", "content-type" ];
string sharedSecret = builder.Configuration["HmacSecret"] ?? string.Empty;

app.Use(async (context, next)
{
    // Reject injected or unexpected headers before processing
    foreach (var header in context.Request.Headers)
    {
        if (!allowedSignedHeaders.Contains(header.Key.ToLowerInvariant()))
        {
            context.Response.StatusCode = 400;
            await context.Response.WriteAsync($"Unexpected header: {header.Key}");
            return;
        }
    }
    await next();
});

app.MapPost("/webhook", (HttpRequest req) =>
{
    // Build canonical string exactly as the sender did
    var sb = new StringBuilder();
    foreach (var h in allowedSignedHeaders)
    {
        if (req.Headers.TryGetValue(h, out var val))
            sb.Append($"{h.ToLowerInvariant()}:{val}");
        else
            sb.Append($"{h.ToLowerInvariant()}:");
    }
    sb.Append(req.Body.Length > 0 ? new StreamReader(req.Body).ReadToEnd() : string.Empty);

    string payload = sb.ToString();
    string receivedSignature = req.Headers["X-Signature"];

    using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(sharedSecret));
    string computedSignature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload)));

    if (!CryptographicOperations.FixedTimeEquals(Encoding.UTF8.GetBytes(computedSignature), Encoding.UTF8.GetBytes(receivedSignature)))
        throw new InvalidOperationException("Invalid signature");

    // Safe to proceed: headers are allowlisted and signature matches canonical form
    return Results.Ok();
});

app.Run();

2) Avoid using injected headers in HMAC canonicalization

Ensure the canonical string used to compute and verify HMAC does not include attacker-controlled headers unless they are also included in the allowlist and verified before use. Never include headers like X-Forwarded-For or X-Original-URL in the signed string unless they are explicitly expected and validated.

// BAD: includes X-Forwarded-For which can be injected
var badPayload = $"x-forwarded-for:{req.Headers["X-Forwarded-For"]}x-request-id:{req.Headers["X-Request-ID"]}";

// GOOD: only allowlisted headers are used
var goodPayload = $"x-request-id:{req.Headers["X-Request-ID"]}content-type:{req.Headers["Content-Type"]}";

3) Validate and sanitize header values used in server logic

If you must use a header value in server logic (e.g., tenant ID), validate format and length, and avoid using it directly in paths or queries to prevent SSRF or injection. Also ensure the header is not duplicated by proxies that could inject additional values.

string tenantId = req.Headers["X-Tenant-ID"];
if (!System.Text.RegularExpressions.Regex.IsMatch(tenantId, @"^[a-zA-Z0-9\-]{1,64}$"))
{
    context.Response.StatusCode = 400;
    await context.Response.WriteAsync("Invalid tenant ID");
    return;
}
// Use tenantId safely after validation
Scan for header injection in aspnet Free API security scan

Frequently Asked Questions

Why include HMAC in the allowlist if it's verified later?
Including HMAC in the allowlist prevents attackers from injecting or modifying it; the server should reject requests where the list of signed headers does not exactly match expectations, ensuring the canonical string is predictable and tamper-proof.
Can I rely on HMAC alone to prevent header injection?
No. HMAC ensures integrity but does not prevent injection. You must also enforce header allowlists, avoid using untrusted header values in routing or security decisions, and validate/sanitize all inputs before use.

Related Pages

Header Injection in AspnetLearn how header injection vulnerabilities manifest in Aspnet applications, how to detect them with middleBrick's automaHeader Injection with Hmac SignaturesHeader injection in HMAC signatures allows attackers to manipulate signing inputs through crafted header values, enablinHeader Injection in Aspnet on GcpHeader Injection in ASP.NET on GCP: causes, detection, and GCP-aware code fixes with allow-listing and header sanitizatiHeader Injection in Aspnet on KubernetesHeader injection in ASP.NET on Kubernetes: how proxy layers and config can enable injection, and Kubernetes-specific fixHeader Injection in Aspnet on AwsHeader Injection in ASP.NET on AWS: causes, risks, and code fixes to safely set response headers.Header Injection in Aspnet on FirebaseHeader Injection in ASP.NET with Firebase: causes, real code fixes, and secure patterns to prevent response splitting anIso 27001: Header Injection in AspnetLearn ISO 27001 controls for header injection in ASP.NET with secure coding examples and remediation guidance.Cis: Header Injection in AspnetExplore CIS-focused Header Injection risks in ASP.NET with real code fixes. Learn detection methods and secure coding paHipaa: Header Injection in AspnetExplore Header Injection in ASP.NET APIs under HIPAA: understand the vulnerability and apply concrete code fixes using aGdpr: Header Injection in AspnetLearn how header injection in ASP.NET can expose GDPR-sensitive data and apply secure coding patterns to prevent CRLF inHeader Injection in Aspnet with DynamodbHeader injection risks when ASP.NET uses DynamoDB data in HTTP headers, with DynamoDB-specific remediation and code examHeader Injection in Aspnet with CockroachdbExplore header injection risks in ASP.NET with CockroachDB, with concrete code fixes and validation patterns to keep res