Before diving into the “Host Header Injection” a few prerequisite should be kept in mind,
let’s get onto “what actually a host header is?”

What is Host Header?

A simple google search defines “The Host Request Header Specifies the host and port number of the server to which the request is being sent.
If no port is included, the default port for the service requested, 80 for an HTTP URL and 443 for an HTTPS URL.”

What is Host Header Injection?

According to layman term , host header injection is a web based attack where the attack provide arbitrary host header to the web application. If the server completely trusts the host header and fails to validate properly an attacker can able to use this input to inject payloads to manipulate server-side behavior.

How to Secure web based application from host header injection?

To be secure from host header injection don’t trust the host header and use a whitelist of the allowed host names.

How to test the host header injection?

Well testing for the host header injection in very simple you just need to do check that you are able to modify the host header and still reach the target with your request.
The screenshots attached below shows the example that how one can simulate a simple host header injection.

A. Try to pass a random host in the request in burp suite and check in response whether you are able to modify the host or not if you are able to modify the host then maybe that web application is vulnerable to host header injection

B. After knowing that web application is vulnerable to host header injection you should modify the host with attackers host in request and check in response if it gives you 200 OK which means you are able to exploit the host header injection.

C. If you get 400 bad request you can try some bypasses in this case, one of the bypasses is this which shown to you in the screenshot above one must approach adding an additional host and another second host you should put the attacker host and after this you maybe able to bypass.

How Host Header Injection can be dangerous?

Below are some glimpses that an attacker can do:-

1. Manipulate Password Reset Functionality

An attack can cause password reset functionality if host header injection is in that functionality an attack can approach the way of “forget password” and can change the host and if functionality allow attackers domain to create password reset link the attacker can access a token of the user and can reset the password of the user account.

2. Web Cache Poisoning

If host header is reflected in response markup without HTML ENCODING. Then attacker can exploit web cache poisoning on the web application and whenever the user visits the web application it will redirect the user to the attacker’s domain.

3. Open Redirection Through Host Header Injection

If the web application is vulnerable to host header injection an attacker can cause open redirection to the other websites which is attacker’s by changing the host the attack can successfully redirect the user to attackers domain.

Blog by: Dark Legend []