Fuzzing request headers is conceptually the same as fuzzing URIs. The only difference is that the number of vulnerabilities found by fuzzing the request headers will be higher than when fuzzing URIs because these headers are sent to the web application server and the server processes these headers internally. This means we have a larger scope for finding vulnerabilities.

There are different types of HTTP headers at play:

• Standard HTTP headers (Cookie, User-Agent, Accept, Host, and so on)
• Non-standard HTTP headers (X-Forwarded-For, X-Requested-With, DNT, and so on) 
• Custom headers (any other header beginning with X- except the non-standard headers)

Let's try to understand how can we fuzz each type of header using the same fuzzers as in the rest of this chapter.