search

Host Header Injection

hashtag
Host Header injection

The HTTP Host header is a mandatory request header introduced in HTTP/1.1.

Example

GET /page HTTP/1.1
Host: example.com

hashtag
Testing Steps:

  • Suppl an Arbitrary Host Header

Send arequest 

GET /page HTTP/1.1
Host: malicious-domain.com

  • Check for flawed Validation

GET /page HTTP/1.1
Host: example.com:bad-port

  • Send Ambiguous Requests

hashtag
Duplicate Host

GET /page HTTP/1.1
Host: example.com:bad-port
Host: t.example.com:bad-port

hashtag
Absolute URL:

  • Inject Host Override Headers

Use header like X-Forwarded-Host

hashtag
Common Attack Vectors

  1. Password Reset Poisoning: Manipulate the Host header to redirect password reset links to an attacker-controlled domain.

  2. Host Header Authentication Bypass: Exploit improper header handling to bypass authentication mechanisms.

  3. Web Cache Poisoning: Inject malicious content into a web cache using a forged Host header.

  4. Routing-Based SSRF: Use the Host header to manipulate server routing and access internal systems.

hashtag
Mitigation and Prevention

  • Avoid Using the Host Header

  • Validate the Host Header

  • Disable Host Override Headers

  • Whitelist Domains for Routing

PreviousOAUTH 2.0 authentication vulnerabilitiesNextInsecure Direct Object References (IDOR)

Last updated