- by x32x01 ||
Host Header Injection & Security - Full Guide 
What is a Host Header Attack?
A Host Header Attack exploits the HTTP Host header of a web request to manipulate how a website handles incoming traffic. It’s possible when:The server trusts the user-supplied Host header.
There's no proper validation or sanitization.
It can lead to:
Web cache poisoning
Password reset poisoning
Bypassing authentication
Phishing & redirection attacks
How Host Header Works
When you make an HTTP request, it looks like this:GET / HTTP/1.1Host: vulnerable-website.com
But an attacker might tamper it like:
GET / HTTP/1.1
Host: attacker.comIf the app uses Host without validation (e.g., in password reset links, redirects, etc.), it can be exploited.
Example: Host Header Attack in Password Reset
Imagine a web app sends password reset links like this:reset_link = "https://" . $_SERVER['HTTP_HOST'] . "/reset?token=abc123";If an attacker sets:
Host: evil.com
The user receives:
https://evil.com/reset?token=abc123
Now the attacker gets the reset token if the user clicks the link!
Vulnerable Use-Cases
Reset password emailsRedirects based on Host header
Generating canonical URLs
Multi-tenant SaaS apps
How to Prevent Host Header Attacks
1. Whitelist Valid HostsOnly accept trusted hostnames:
Code:
if request.host not in ['yourdomain.com', 'www.yourdomain.com']:
abort(400)In Nginx:
Code:
server {
if ($host !~ ^(yourdomain\.com|www\.yourdomain\.com)$ ) {
return 444;
}
} 3. Avoid Using Host Header Directly
Instead of building URLs using Host, use a fixed trusted base URL. 4. Disable HTTP/1.0 or Proxy Headers
Block headers like X-Forwarded-Host, X-Host, etc., unless you trust the source (like Cloudflare, Nginx). Tools to TestBurp Suite: Intercept and modify Host headers.
curl:
curl -H "Host: evil.com" http://target.com
Bug Bounty TipHost header injection is often low-hanging fruit. Search for:
Password reset links
Email confirmation links
Canonical tag manipulation
Open redirect via Host
Reward potential: $100 – $5000+, depending on impact.
ConclusionHost header attacks are simple but dangerous. Always validate and sanitize user inputs - especially HTTP headers. Don’t trust client-supplied