Host Header Injection

Vulnerability Name

Host header Injection on [Parameter]

Vulnerability Description

HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as "Host header injection" attacks.

In some cases, such as when the request has been forwarded by an intermediary system, the Host value may be altered before it reaches the intended back-end component.

Add your specific vulnerability description if required, the one given above is a general description.

Payload

Add your payload here

Steps to Reproduce

1. Go to [Affected URL].
2. Intercept the request in burp suite and send it to repeater.
3. Change the value of [Vulnerable Parameter] to the above payload and send the request.
4. Observe as the payload executes in the response.

POC

Modify the steps to reproduce above if required. Attach snapshots (POC) or a video link here.

Impact

As the Host header is in fact user controllable, this practice can lead to a number of issues. If the input is not properly escaped or validated, the Host header is a potential vector for exploiting a range of other vulnerabilities, most notably:

• Web cache poisoning.
• Business logic flaws in specific functionality.
• Routing-based SSRF.
• Classic server-side vulnerabilities, such as SQL injection.

Add your specific impact if required, the one given above is a general impact.

Remediation

To prevent HTTP Host header attacks, the simplest approach is to avoid using the Host header altogether in server-side code. Double-check whether each URL really needs to be absolute. You will often find that you can just use a relative URL instead. This simple change can help you prevent web cache poisoning vulnerabilities in particular.

Other ways to prevent HTTP Host header attacks include:

• Protect absolute URLs
• Validate the Host header
• Don't support Host override headers
• Whitelist permitted domains
• Be careful with internal-only virtual hosts

Add your specific remediation if required, the above is a general remediation.

Reference

• https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html
• https://portswigger.net/web-security/host-header#how-to-prevent-http-host-header-attacks