HTTP Host header
HTTP Host header Injection
Supply an arbitrary Host header
Test for for flawed validation
Test For duplicate host headers
Supply an absolute URL
Many servers are also configured to understand requests for absolute URLs. Officially, the request line should be given precedence when routing the request but, in practice, this isn't always the case. You can potentially exploit these discrepancies in much the same way as duplicate Host headers.
Note that you may also need to experiment with different protocols. Servers will sometimes behave differently depending on whether the request line contains an HTTP or an HTTPS URL.
Add line wrapping
Some servers will interpret the indented header as a wrapped line and, therefore, treat it as part of the preceding header's value. Other servers will ignore the indented header altogether.
Inject host override headers
You can sometimes use
X-Forwarded-Host to inject your malicious input while circumventing any validation on the Host header itself.
GET /example HTTP/1.1
X-Forwarded-Host is the de facto standard for this behavior, you may come across other headers that serve a similar purpose, including:
In Burp Suite, you can use the Param Miner extension's "Guess headers" function to automatically probe for supported headers using its extensive built-in wordlist.
Password reset poisoning
- Test forget password functionality
- Observe that you have received an email containing a link to reset your password. Notice that the URL contains the query parameter
- try to coerce webserver into sending the link to your server ,try:
- change the Host header to an arbitrary value and still successfully trigger a password reset.
- add the
X-Forwarded-Hostheader or similar headers to req
- Confirm your server recieved the reset token for the user if he clicks the link
- Go to your email client and copy the genuine password reset URL from your first email. Visit this URL in your browser