search

HTTP Host header attacks

Attacks that involve injecting a payload directly into the Host header

hashtag
How to test

hashtag
Supply an arbitrary Host header

The first step is to test what happens when you supply an arbitrary, unrecognized domain name via the Host header.

Sometimes, you will still be able to access the target website even when you supply an unexpected Host header. This could be for a number of reasons. For example, servers are sometimes configured with a default or fallback option in case they receive requests for domain names that they don't recognize. If your target website happens to be the default, you're in luck. In this case, you can begin studying what the application does with the Host header and whether this behavior is exploitable.

On the other hand, as the Host header is such a fundamental part of how the websites work, tampering with it often means you will be unable to reach the target application at all. The front-end server or load balancer that received your request may simply not know where to forward it, resulting in an "Invalid Host header" error of some kind. This is especially likely if your target is accessed via a CDN. In this case, you should move on to trying some of the techniques outlined below.

hashtag
Check for flawed validation

Host: vulnerable-website.com:bad-stuff-here Host: vulnerable-website.com@bad-stuff-here Host: vulnerable-website.com:123@bad-stuff-here

hashtag
Send ambiguous requests

Inject duplicate Host headers

Try swapping and adding special characters volume_up content_copy

GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here

Supply an absolute URL

GET https://vulnerable-website.com/ HTTP/1.1
Host: bad-stuff-here

Add line wrapping

Ref: https://portswigger.net/web-security/request-smugglingarrow-up-right

hashtag
Inject host override headers

hashtag
How to exploit the HTTP Host header

https://portswigger.net/web-security/host-header/exploitingarrow-up-right

PreviousSome other child page

Last updated