HTTP Host header can be used to attack websites that use the value of HTTP host header without validating it which will allow user to inject payload which can change the server's behaviour. Note that the host header can be easily modfied by proxies.
Typically a webapplication may use HTTP host header for generating absolute url.
HTTP Host header attack can be used for
- Password reset poisoning. if the vulnerable website uses the host header to generate the password reset link , it will be prone password reset poisoning attack . Read a simple yet detailed explanation https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning.
- web cache poisoning attack : host header can be used for web cache poisoning attack. web cache poisoning attack depends on population of cache with a response which has untrusted injected header. see a simple yet detailed exaplantion https://www.acunetix.com/blog/articles/what-is-web-cache-poisoning/
- Host header can also be used for SQLi, XSS
- Routing based SSRF. Typically SSRF attack is usually based on application server using URL derived from user input and hence by controlling the url the attacker can execute unauthorized actions or access to data . A simple example would be a attacker is able to send url http://192.168.0.68/admin-module.jsp and the server make a http request to this url to return response. Read more https://portswigger.net/web-security/ssrf. Routing based SSRF is based on exploiting reverse proxy . The reverse proxy receives request and routes it to the appropriate backend. host header manipulation can make the proxy misroute the request. This is dangerous as typically load balancers are gateways to internal network.
How to prevent HTTP host header attack
- Avoid using the host header in server side code. To create absolute URL use domain name in configuration file.
- If the host header must be used it must be properly validated (with the help of whitelist)
- The above two logic should be used for x-forwarded-header also.
Read more
- https://portswigger.net/web-security/host-header/exploiting