Average response header size elevated

firetail:average-response-header-size-elevated

Type:

Detection

Rule Severity:

Info

The average response header size during a given period was >= the mean average + one standard deviation of the preceding period.

A significant increase in header sizes can be an indicator of malicious activity. Headers are usually static, and even where they contain dynamic content such as authentication tokens, those items are usually of a fixed size. Fluctuating header sizes indicate the presence of additional data which shouldn't be there.

Remediation

Investigate what has caused the response headers sent to this API to increase significantly in size.

Example Attack Scenario

An attacker may try to compromise a service via Host Header Injection, which add to the header length. Other attacks may try to modify authentication tokens in the header by adding new privileges or scopes, these modifications change the length of the authentication token. On compromised systems attackes may want to exfiltrate data in encoded chunks in response headers to avoid detection.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings