Host Header Attack


Host header attack possible, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.


It is normal practice for a similar web server to have a few sites or web applications on a similar IP address. The Host header determines which site or web application should process an approaching HTTP request. The web server utilizes the Host header parameter value of to dispatch the request to the predetermined site or web application. Each web application existing on a similar IP address is commonly referred to as a virtual host. Numerous web applications depend on the HTTP Host header to understand for themselves their location. What numerous application admin don't understand is that the HTTP Host header is controlled by the client. Hence they pose many risks and induce various attack vectors namely

  • password reset poisoning
  • cache poisoning
  • access to other internal host/application
  • XSS, etc.

GET /index.html HTTP/1.1 GET /index.html HTTP/1.1
Host:               Host:


    • Host header injection can be moderated by dismissing any demand that doesn't coordinate the objective area.
    • Approving Host header to guarantee that the demand is starting from that target host or not.
    • Host header injection can be relieved in Apache and Nginx by making a dummy virtual host that gets all requests with unrecognized Host headers.
    • By making a white-list of trusted domain amid the underlying setup of the application and mapping areas got in Host header of every single request with it.
    • It is prescribed to incapacitate the help for the X-Forwarded-Host header and if can't be disabled put legitimate security checks on it to prevent its tampering.
    • One should utilize secure server setup.