Host header injection is an attack that fools the victim server to echo an incorrect host header.
- "What is a host header attack?" from Acunetix
- "Practical HTTP Host header attacks" from Skeleton Scribe.
Questions tagged [host-header-injection]
14 questions
3
votes
2 answers
Why do Invalid Host header errors exist, what are attackers trying to achieve?
I have recently launched a new django based api, and quite quickly, I started to receive INVALID_HOST_HEADER SOME RANDOM URL errors. My understanding is that this is caused by somebody manually changing the HOST header, or proxying my API through…
Alex
- 185
- 5
3
votes
1 answer
Is host header injection possible without cache or password reset?
I am a beginner in security and reading about host header injection. I tested an application for this vulnerability and it is possible there for some request, but the developer implemented no-cache, no-store flags and this vulnerability is not in…
Pawan Dwivedee
- 65
- 6
2
votes
1 answer
Arbitrary query parameter reflected in server response header. Is it exploitable?
SCENARIO:
If I send requests like these:
http://site.com/page?safe_param=1?my_arbitrary_param=2
The server responds with a normal HTTP response but within common headers it includes also the arbitrary param:
[...]
my_arbitrary_param: 2
[...]
How…
Maicake
- 497
- 1
- 3
- 13
2
votes
2 answers
Flow of a host header injection attack?
I am new to this field and would like to know how the flow happens in a host header injection attacks.
I believe it's as below:
Client generates the request.
Attacker manipulates the request and changes the host header (to say example.com).
Server…
pratik pattanaik
- 21
- 6
1
vote
1 answer
To what attacks is using the value of the HOST header to craft self-referential URLs vulnerable?
From official ASP.NET Core docs, namely Routing in ASP.NET Core § URL generation concepts:
Use GetUri* extension methods with caution in an app configuration that doesn't validate the Host header of incoming requests. If the Host header of incoming…
gaazkam
- 5,607
- 11
- 24
- 37
1
vote
2 answers
Do relative paths mitigate HTTP Host Header attacks?
I have been researching http host header attacks. There are many examples such as Contact support. Why would anyone use an absolute path for resources served by the same server? I've only seen absolute…
Paul Blackburn
- 11
- 2
1
vote
1 answer
Would HTTP Header injection allow for an XSS vulnerability if content-type is application/force-download?
I am currently conducting a pentest and I found an application vulnerable to http header injection, where the user input is reflected after the Content-Type header, and the Content-Type is set to application/force-download. That is, the attacker can…
securitymensch
- 13
- 2
1
vote
0 answers
Varnish website with authentication returning 200 when host header set to "#"
So I am testing a website that runs on Varnish and has HTTP authentication. Typically, if you try to visit the site, it prompts you for a username and password and if you enter it incorrectly/close the prompt, you get a 401 response. However, if you…
Jack
- 471
- 2
- 6
- 18
0
votes
1 answer
How does Burp Collaborator payload reach the targeted vulnerable site?
I want to inject the collaborator payload in the HTTP Host header (HTTP Host header injection).
GET / HTTP/1.1
Host: payload.collaborator.net
The Host header is used to reach the targeted webserver and fetch the vhost or any backend component,…
Just.a.tech
- 1
- 1
0
votes
1 answer
How could someone exploit a host header injection vulnerability that only effects the responses Location header?
If I go to the http site e.g. http://www.example.com the site will redirect (code 301) to the https version https://www.example.com.
On various pentests I observed that if I modify the Host header in the http request the Location header in the…
Zapho Oxx
- 13
- 3
0
votes
1 answer
Can Proxy insert headers to a HTTPS requests which are on the same network?
I was reading about host header injection and found many reports on hackerone.
Assume that if you inject X-Forwarded-Host header to specific requests, you may cause a redirect which can impact the people on the network…
Malek
- 23
- 5
0
votes
2 answers
Host header injection attack with Spring boot embedded tomcat
Our application has been checked by PEN Test tool, and there are description of issue:
An attacker can redirect the application using the host header on the
below mentioned URL to redirect them to phishing websites.
Reproducing steps:
Make…
dmitry
- 11
- 1
- 1
0
votes
0 answers
Prevention of host header injection in ASP.NET?
How can we mitigate host header injection in ASP.NET? I have already configured application binding in IIS and set static hostname but still, the vulnerability exists.
codeur
- 581
- 2
- 6
- 12
-1
votes
1 answer
CORS attack using authentication token
I found a website which is vulnerable to cors.(https://portswigger.net/web-security/cors)
GET /api/requestApiKey HTTP/1.1.
Host: vulnerable-website.com.
Origin: https://evil.com.
AUTHENTICATION: eyssdsdsdsasa.....
And the server responds…
