How to send multiple Header Values with the SAME name using CURL?

Question

I have been struggling to replicate an issue we are facing in Production. The clients are sending multiple headers with the same name via a cookie and we are trying to troubleshoot the same via CURL. The intent is to send TWO header values for the same header name so that the application (below as myhost) can intercept it via this curl attempt. However, when I attempt something like this, the server, the "x-targetted-group" value doesn't resolve. IF I send TWO headers using -H "X-targetted-group:Group1" - "x-targetted-group:Group2", the server only gets the first one. How can i send both ?

curl -i -H "Accept: application/json" -H "x-targetted-group:Group1,Group2"  https://myhost:8990/"

Answer 1

I used to perform a lot of bad queries syntax attacks on HTTP servers. By definition, curl or wget won't let you do much bad syntax work.

You should try to use low level netcat + printf.

With printf, you write your HTTP query, and netcat will manage the socket connection (for ssl connections you can replace netcat with openssl_client).

That would look like (for a basic query):

printf 'GET /my/url?foo=bar HTTP/1.1\r\n'\
'Host: www.example.com\r\n'\
'\r\n'\
| nc -q 2 127.0.0.1 80

And for a more complex one (repeated header & old ops-fold header syntax, not also how to write a %character in printf):

printf 'GET /my/url?foo=bar&percent_char=%% HTTP/1.1\r\n'\
'Host: www.example.com\r\n'\
'x-foo-header: value1\r\n'\
'x-foo-header: value2\r\n'\
'x-foo-header: value3, value4\r\n'\
'x-foo-header:\t\tval5\r\n'\
' val6\r\n'\
'User-agent: tests\r\n'\
'\r\n'\
| nc -q 2 127.0.0.1 80

Once you get used of it it's a pleasure, no limitations.

Answer 2

curl won't let you. So answer is you can't. Later version of wget won't either.

If you want to experiment with odd possibly malformed HTTP requests, you can just craft your own - it's all just plain text. Example using netcat:

> cat request.txt # I.e. the contents of the file request.txt is:
GET /
Accept: application/json
X-targetted-group: Group1
X-targetted-group: Group2

> nc myhost 8990 <request.txt

The HTTP spec says lines have to end in CRLF (\r\n) so the above might not be accepted by your server unless the text file request.txt uses CRLF line termination (there is an option for saving like that in text editors ..).

Aside: What HTTP spec says about multiple headers with the same name (they are allowed):

Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded.

Answer 3

This is a limitation of the HTTP protocol itself. You are not allowed to send multiple headers with the same name unless they are sent in the same key as a comma separated list of values. Take a look at this answer.