HTTP Host header attacks
2 min readAug 1, 2023
Theory
HTTP Host header identifies which back-end component the client wants to communicate with. In the following image, you can observe accessing internal resources by sending a request with a changed value of the Host header.
Methodology
Identification
- Modify the Host header and analyze the response
a) Access the landing page — examine processing of Host header
b) Get an error (invalid Host header) — content reflection or move on - Check for faulty validation
a) Specify port (also in non-numeric form)
b) Add “not” before the value
c) Use a less secure subdomain - Send ambiguous requests
a) Add a duplicate Host header
b) Specify the absolute URL after the method and manipulate the value of the Host header
c) Add line wrapping (Tab key after first or second Host header) - Inject host override headers
a) X-Forwarded-Host, X-Host, X-Forwarded-Server, X-HTTP-Host-Override, Forwarded
b) Use Param Miner’s “Guess headers” function
Exploitation
- Password reset poisoning
a) Use the techniques mentioned above in the password reset process
b) Have the password reset token sent to the server you control - Web cache poisoning via the Host header
a) Notice the verbose caching headers
b) Try the above identification techniques
c) Spot if the Host header is reflected in a file import - Try SQLi probing techniques in Host header.
- Access internal resources
a) Modify the Host header’s value to 127.0.0.1 or localhost
b) Brute-force virtual hosts - Test for routing-based SSRF
a) Insert Collaborator URL in the Host header - Perform connection state attack
a) Send two requests in the same connection (Group functionality in Burp Repeater)
b) 1st request —legit, 2nd request — malicious - Start the path with the @ sign
a) GET @private-intranet/example HTTP/1.1
