So I am testing a website that runs on Varnish and has HTTP authentication. Typically, if you try to visit the site, it prompts you for a username and password and if you enter it incorrectly/close the prompt, you get a 401 response. However, if you change the host header in the request to any invalid site, you receive a 500 response with a Fastly error for unknown domain. This all makes sense and seems to function normally.
However, if you set the host header to a pound sign "#", an ampersand, or a forward slash, the site returns a 200 with a content-length of zero in the response, even if you request an existing page on the server. Why might this be occurring, and is there any methods to exploit this?
Edit: I've also noticed that it increases the response time from 20-50ms to 1000+ ms if this is useful in any way.
