HTTP Host header attacks
How to test for vulnerabilities using the HTTP Host header
Supply an arbitrary Host header
Check for flawed validation
Send ambiguous requests
Inject duplicate Host headers
Supply an absolute URL
Add line wrapping
Inject host override headers
You can sometimes use X-Forwarded-Host to inject your malicious input while circumventing any validation on the Host header itself.
Although X-Forwarded-Host is the de facto standard for this behavior, you may come across other headers that serve a similar purpose, including:
How to exploit the HTTP Host header
Web cache poisoning via the Host header
in this case try to second host header if input reflected in response try to craft xss payload
Exploiting classic server-side vulnerabilities
Every HTTP header is a potential vector for exploiting classic server-side vulnerabilities, and the Host header is no exception. "try SQLI"
Accessing restricted functionality
robots.txtmay display end points that can't be accessed by normal usermay be only local user can access it try to alter host to
localhostand request this pageAccessing internal websites with virtual host brute-forcing
www.example.com: 12.34.56.78 intranet.example.com: 10.0.0.132
alter host value to :
localhost
dev
stage
test
Routing-based SSRF
change host to site u have Burp Collaborator if the site trigger your logs This confirms that you are able to make the website's middleware issue requests to an arbitrary server
brute force the internal infrastructure with burp intruder
Host: 192.168.0.§0§
SSRF via a malformed request line
GET @private-intranet/example HTTP/1.1The resulting upstream URL will be http://backend-server@private-intranet/example, which most HTTP libraries interpret as a request to access private-intranet with the username backend-server.
alter host value to :
localhost
dev
stage
test
pass reset
alter host to your site and check if rest message contaning your site
Last updated