HTTP Host header attacks

How to test for vulnerabilities using the HTTP Host header

Check for flawed validation

GET /example HTTP/1.1Host: vulnerable-website.com:bad-stuff-here

GET /example HTTP/1.1Host: notvulnerable-website.com

GET /example HTTP/1.1Host: hacked-subdomain.vulnerable-website.com

Send ambiguous requests

Inject duplicate Host headers

GET /example HTTP/1.1Host: vulnerable-website.comHost: bad-stuff-here

Supply an absolute URL

GET https://vulnerable-website.com/ HTTP/1.1Host: bad-stuff-here

Add line wrapping

GET /example HTTP/1.1 Host: bad-stuff-hereHost: vulnerable-website.com

Web cache poisoning via the Host header
in this case try to second host header if input reflected in response try to craft xss payload
Exploiting classic server-side vulnerabilities
Every HTTP header is a potential vector for exploiting classic server-side vulnerabilities, and the Host header is no exception. "try SQLI"
Accessing restricted functionality
robots.txt may display end points that can't be accessed by normal user
may be only local user can access it try to alter host to localhost and request this page
Accessing internal websites with virtual host brute-forcing
www.example.com: 12.34.56.78 intranet.example.com: 10.0.0.132
alter host value to :
localhost
dev
stage
test
Routing-based SSRF
- change host to site u have Burp Collaborator if the site trigger your logs This confirms that you are able to make the website's middleware issue requests to an arbitrary server
- brute force the internal infrastructure with burp intruder Host: 192.168.0.§0§
SSRF via a malformed request line
GET @private-intranet/example HTTP/1.1
The resulting upstream URL will be http://backend-server@private-intranet/example, which most HTTP libraries interpret as a request to access private-intranet with the username backend-server.

alter host value to :

localhost

dev

stage

test

pass reset

alter host to your site and check if rest message contaning your site

Last updated 3 years ago