🚩
Cyber Explained
  • WHOAMI
  • Technologies
    • Docker
      • Setup Docker
      • Terminology
      • Docker Hub
      • Docker Images
      • Docker Containers
      • Working with Containers
      • Virtualization vs Containerization
      • Nutshell
      • Troubleshoot
    • Android Application
      • Application File Structure
      • Layout and Resources for UI
      • Activities
      • Intents
      • Activity lifecycle and state
      • Implicit intents
    • Active Directory
      • Attacking Active Directory: 0 to 0.9
      • Resources
    • Kerberos
  • RED TEAMING
    • Attacking Kerberos
      • User Enum and Brute Force
      • AS-REP Roasting
      • Kerberoasting
    • MITRE ATT&CK
    • Resources
  • PenTesting
    • Android Pentesting
      • Re-Build App
      • Using Frida on Android without root
    • Web Pentesting
      • XSS
      • SQLi
      • Authentication Vulnerabilities
      • Session Security
      • CSRF
      • Path Traversal
      • File Inclusion
      • Business Logic Vulnerabilities
      • HTTP Host header attacks
      • SSRF
      • HTTP Request Smuggling
      • OS command injection
      • Access control vulnerabilities
    • OWASP Testing Guide
      • 1.0 Information Gathering
      • 2.0 Configuration and Deployment Management Testing
      • 3.0 Identity Management Testing
      • 4.0 Authentication Testing
      • 5.0 Authorization Testing
      • 6.0 Session Management Testing
      • 7.0 Input Validation Testing
      • 8.0 Testing for Error Handling
      • 9.0 Testing for Weak Cryptography
      • 10.0 Business Logic Testing
      • 11.0 Client-side Testing
      • 12.0 API Testing
  • Programming
    • Python
      • Hello World !
        • Variables and Data Types
        • Lists, Tuple, Sets and Dictionaries
        • If Statement
        • While Loops
        • For Loops
        • Functions
        • Classes and Objects
        • Creating Modules
        • Creating Packages
        • Exception Handling
      • System Pogramming
        • File Handling
        • OS Interaction with OS Library
        • Multithreading
        • Signals
        • Subprocess
        • Code Examples
      • Network Programming
        • Socket Programming
        • Packet Injection with Raw Sockets
        • SocketServer Framework
        • Packet Sniffing with Scapy
        • Creating a Web Server
        • Packet Injection with Scapy
        • Packet Sniffing with Raw Sockets
        • Programming with Scapy
  • Operating Systems
    • Windows*
    • Linux
      • System Structure
      • VI Text Editor
      • Working with the Linux Shell
      • Managing Users and Groups
      • Managing Files and Directories
  • Networks
    • Page 1
Powered by GitBook
On this page
  1. PenTesting
  2. Web Pentesting

HTTP Host header attacks

How to test for vulnerabilities using the HTTP Host header

  • Supply an arbitrary Host header

  • Check for flawed validation

    GET /example HTTP/1.1Host: vulnerable-website.com:bad-stuff-here
    GET /example HTTP/1.1Host: notvulnerable-website.com
    GET /example HTTP/1.1Host: hacked-subdomain.vulnerable-website.com

  • Send ambiguous requests

    • Inject duplicate Host headers

      GET /example HTTP/1.1Host: vulnerable-website.comHost: bad-stuff-here

    • Supply an absolute URL

      GET https://vulnerable-website.com/ HTTP/1.1Host: bad-stuff-here

    • Add line wrapping

      GET /example HTTP/1.1 Host: bad-stuff-hereHost: vulnerable-website.com

  • Inject host override headers

    You can sometimes use X-Forwarded-Host to inject your malicious input while circumventing any validation on the Host header itself.

    GET /example HTTP/1.1Host: vulnerable-website.comX-Forwarded-Host: bad-stuff-here

    Although X-Forwarded-Host is the de facto standard for this behavior, you may come across other headers that serve a similar purpose, including:

    X-HostX-Forwarded-ServerX-HTTP-Host-OverrideForwarded

How to exploit the HTTP Host header

  • Web cache poisoning via the Host header

    in this case try to second host header if input reflected in response try to craft xss payload

  • Exploiting classic server-side vulnerabilities

    Every HTTP header is a potential vector for exploiting classic server-side vulnerabilities, and the Host header is no exception. "try SQLI"

  • Accessing restricted functionality

    robots.txt may display end points that can't be accessed by normal user

    may be only local user can access it try to alter host to localhost and request this page

  • Accessing internal websites with virtual host brute-forcing

    alter host value to :

    localhost

    dev

    stage

    test

  • Routing-based SSRF

    • change host to site u have Burp Collaborator if the site trigger your logs This confirms that you are able to make the website's middleware issue requests to an arbitrary server

    • brute force the internal infrastructure with burp intruder Host: 192.168.0.§0§

  • SSRF via a malformed request line

    GET @private-intranet/example HTTP/1.1

alter host value to :

localhost

dev

stage

test

pass reset

alter host to your site and check if rest message contaning your site

PreviousBusiness Logic VulnerabilitiesNextSSRF

Last updated 3 years ago

: 12.34.56.78 intranet.example.com: 10.0.0.132

The resulting upstream URL will be , which most HTTP libraries interpret as a request to access private-intranet with the username backend-server.

www.example.com
http://backend-server@private-intranet/example