dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,549
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
This post was created for the Hack Tools Dark Community.
Host Header Injection → Cache PoisoningManipulating HTTP headers — especially the `Host` and `X-Forwarded-Host` headers — can lead to serious vulnerabilities like:
Cache Poisoning:Altering the response stored by CDNs or reverse proxies. When `Host: evil.com` or `X-Forwarded-Host: evil.com` is injected, it can trick caches into storing and serving malicious content.
Phishing via Password Reset Links:Some systems use the `Host` header to build password reset URLs. If not validated, attackers can inject:
X-Forwarded-Host: attacker.comResulting in password reset emails with links to:
http://attacker.com/reset?token=xyz Open Redirects & SSRF:In misconfigured environments, host-based routing or SSRF protections can be bypassed by spoofing `Host` or `X-Forwarded-Host`.
Example from Burp Suite:
Code:
POST /login/forgotpassword HTTP/1.1
Host: website.com
X-Forwarded-Host: localhost.attacker.com
Content-Type: application/x-www-form-urlencoded
...
email=victim%40gmail.com
Test Payloads:
Code:
Host: evil.com
X-Forwarded-Host: evil.com
Defensive Tips (Blue Team):• Never trust user-supplied `Host` headers.
• Hardcode your domain in links inside emails.
• Strip or sanitize `X-Forwarded-Host` if not used.
• Set proper `Cache-Control` headers to prevent poisoning.
Got insights or experience with Host Header exploits or defenses?Join the discussion below and share your tests, bypasses, or protection strategies!