# HTTP Host header attacks **How to test for vulnerabilities using the HTTP Host header** * Supply an arbitrary Host header * Check for flawed validation ``` GET /example HTTP/1.1Host: vulnerable-website.com:bad-stuff-here ``` ``` GET /example HTTP/1.1Host: notvulnerable-website.com ``` ``` GET /example HTTP/1.1Host: hacked-subdomain.vulnerable-website.com ``` * Send ambiguous requests * Inject duplicate Host headers ``` GET /example HTTP/1.1Host: vulnerable-website.comHost: bad-stuff-here ``` * Supply an absolute URL ``` GET https://vulnerable-website.com/ HTTP/1.1Host: bad-stuff-here ``` * Add line wrapping ``` GET /example HTTP/1.1 Host: bad-stuff-hereHost: vulnerable-website.com ``` * Inject host override headers You can sometimes use X-Forwarded-Host to inject your malicious input while circumventing any validation on the Host header itself. ``` GET /example HTTP/1.1Host: vulnerable-website.comX-Forwarded-Host: bad-stuff-here ``` Although X-Forwarded-Host is the de facto standard for this behavior, you may come across other headers that serve a similar purpose, including: ``` X-HostX-Forwarded-ServerX-HTTP-Host-OverrideForwarded ``` *** #### How to exploit the HTTP Host header * **Web cache poisoning via the Host header** in this case try to second host header if input reflected in response try to craft xss payload * **Exploiting classic server-side vulnerabilities** Every HTTP header is a potential vector for exploiting classic server-side vulnerabilities, and the Host header is no exception. "try SQLI" * **Accessing restricted functionality** `robots.txt` may display end points that can't be accessed by normal user may be only local user can access it try to alter host to `localhost` and request this page * **Accessing internal websites with virtual host brute-forcing** [www.example.com](https://0xa1mn.gitbook.io/cyber-explained/pentesting/web-pentesting/www.example.com): 12.34.56.78 intranet.example.com: 10.0.0.132 alter host value to : localhost dev stage test * **Routing-based SSRF** * change host to site u have *Burp Collaborator* if the site trigger your logs This confirms that you are able to make the website's middleware issue requests to an arbitrary server * brute force the internal infrastructure with burp intruder `Host: 192.168.0.§0§` * **SSRF via a malformed request line** `GET @private-intranet/example HTTP/1.1` The resulting upstream URL will be , which most HTTP libraries interpret as a request to access private-intranet with the username backend-server. alter host value to : localhost dev stage test *** pass reset alter host to your site and check if rest message contaning your site ***
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xa1mn.gitbook.io/cyber-explained/pentesting/web-pentesting/http-host-header-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.