# Host Header Injection ## Introduction A host header injection vulnerability is a type of web vulnerability that occurs when an attacker can manipulate the `Host` header of an HTTP request, and the web application does not correctly validate the host header of incoming requests. The attacker can supply invalid input to cause the webserver to: * Dispatch requests to the first virtual host on the list. * Perform a redirect to an attacker-controlled domain. * Perform web cache poisoning. * Manipulate password reset functionality. * Allow access to virtual hosts that were not intended to be externally accessible. ## Test Host Header injection There are several techniques you can try to test this vulnerability. On an HTTP request, modify the `Host` header value as follows: * **Messing with the port number**: `example.com:` * **Adding an** `@`: `example.com:1234@` * **Adding carriage return and line feed**: `example.com%0d%0aLocation: malicious.com` * **Malicious domain**: `example.com.malicious.com` * **Inject duplicate Host Headers**: ```http GET /example HTTP/1.1 Host: example.com Host: malicious.com ``` * **Supply an absolute URL on the HTTP path**: ```http GET https://example.com/ HTTP/1.1 Host: ``` * **Indent headers**: ```http GET /example HTTP/1.1 Host: Host: example.com ``` * **Use host override headers**: A host override header can be used to redirect a request to a different server or impersonate a legitimate server. To discover the headers supported by the server, you can use the Burp Suite extension **Param Miner** by right-clicking on the request and then `Extensions/Param Miner/Guess params/Guess headers` , or try the following wordlist. ```http GET / HTTP/1.1 Host: example.com X-Forwarded-For: 127.0.0.1 X-Forwarded-Host: 127.0.0.1 X-Forwarded-IP: 127.0.0.1 X-Forwarded-Server: 127.0.0.1 X-Client-IP: 127.0.0.1 X-Remote-IP: 127.0.0.1 X-Originating-IP: 127.0.0.1 X-Host: 127.0.0.1 X-HTTP-Host-Override: 127.0.0.1 X-Client: 127.0.0.1 X-Host: 127.0.0.1 ``` ## Password Reset Poisoning Some web applications generate the password reset link using the Host header value sent on the request. In this case, an attacker can send a malicious request with the attacker's domain as host, then if the victim clicks on the received link, the attacker will receive a request on its server with the victim's token. ## Accessing Private Virtual Host An organization might have several sites hosted on the same web server, so they may have virtual hosts that are not intended to be externally accessible. To discover those hidden virtual hosts you can execute the following command. ```bash ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u https://website.com/ -of md -o vhosts.txt -H "Host: FUZZ.example.com" ``` ## References * [Testing for Host Header Injection](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection) * [How to identify and exploit HTTP Host header vulnerabilities](https://portswigger.net/web-security/host-header/exploiting)