Testing for Vulnerability
Test Objectives
Assess if the Host header is being parsed dynamically in the application.
Bypass security controls that rely on the header.
How to Test
Supply an arbitrary Host Header
GET / HTTP/1.1
Host: www.attacker.com
Check for flawed validation (Bypass)
# Supplying non numeric port number
GET /example HTTP/1.1
Host: vulnerable-website.com:bad-stuff-here
# Registering a domain that matches the same sequence of characters
GET /example HTTP/1.1
Host: notvulnerable-website.com
# Already compromised subdomain
GET /example HTTP/1.1
Host: hacked-subdomain.vulnerable-website.com
# Inject duplicate Host headers
GET /example HTTP/1.1
Host: vulnerable-website.com
Host: bad-stuff-here
# Supply an absolute URL
GET https://vulnerable-website.com/ HTTP/1.1
Host: bad-stuff-here
# Add line wrapping
GET /example HTTP/1.1
Host: bad-stuff-here
Host: vulnerable-website.com
# Using X-Forwarded-Host to inject malicious input
GET /example HTTP/1.1
Host: vulnerable-website.com
X-Forwarded-Host: bad-stuff-here
# Similar types of headers
X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded
REFERENCES
Last updated
Was this helpful?