What is Host Header?

The Host header is an HTTP header field that specifies the domain name or IP address of the
server with which the client is communicating. It is a crucial part of the HTTP protocol,
especially in situations where multiple websites are hosted on the same server and share the
same IP address. The Host header helps the server determine which website or application
the client is requesting.

When a client sends an HTTP request to a server, the request typically includes a Host header
to indicate the target domain. This is essential for virtual hosting, where multiple websites are
hosted on a single server, each identified by its domain name. The server uses the Host header
information to route the request to the appropriate website.

Here's a simplified example of an HTTP request with the Host header:

GET /path/to/resource HTTP/1.1
Host: www.example.com

In this example, the Host header specifies that the client is requesting a resource from the
"www.example.com" domain. The server, upon receiving the request, uses this information
to route the request to the correct virtual host or website.
What is Host Header Injection?
Host Header Injection is a web security vulnerability that occurs when an attacker is able to
manipulate or inject a malicious host header into an HTTP request. This vulnerability typically
arises in situations where the web application uses the value of the Host header to make
decisions about the processing of the request.
The Host header is crucial for virtual hosting on web servers, as it helps determine which
website or application should handle a particular request. However, if an attacker can
manipulate the Host header, they may be able to trick the web application into processing the
request in unintended ways.
Common scenarios where Host Header Injection can be exploited include:
1. Cache Poisoning: If a web application relies on the Host header for caching decisions,
an attacker might inject a malicious Host header to poison the cache and serve
malicious content to other users.
2. Session Fixation: Some web applications tie sessions to a specific domain. If an
attacker can inject a malicious Host header, they might be able to fixate the user's
session to a domain under their control.

3. Bypassing Security Controls: If security controls or restrictions are based on the Host
header, an attacker may manipulate it to bypass security mechanisms and access
unauthorized parts of the application.
4. Cross-Site Scripting (XSS) Attacks: In some cases, an attacker might use Host Header
Injection to trigger XSS attacks by injecting a malicious domain that serves a payload.
To prevent Host Header Injection, developers and system administrators should validate and
sanitize user input, especially input that is used to construct HTTP headers. Additionally, web
applications should be configured to reject requests with unexpected or malicious Host
headers.
What is the impact of Host Header Injection?
The impact of Host Header Injection can vary depending on how the web application uses the
Host header and the specific context in which the vulnerability is exploited. Here are some
potential impacts:
1. Cache Poisoning: If the web application uses the Host header for caching decisions, an
attacker could inject a malicious Host header to poison the cache. This could result in
the serving of incorrect or malicious content to users who request the same resource.

2. Session Fixation: If sessions are tied to a specific domain, an attacker might use Host
Header Injection to fixate a user's session to a domain under their control. This could
allow the attacker to hijack the user's session and perform actions on behalf of the
victim.

3. Security Control Bypass: If security controls or restrictions are based on the Host
header, an attacker could manipulate it to bypass security mechanisms. This might
lead to unauthorized access to certain parts of the application or the execution of
actions that are supposed to be restricted.
4. Cross-Site Scripting (XSS) Attacks: In some cases, Host Header Injection can be used
as part of a more sophisticated attack to trigger XSS. By injecting a malicious domain
in the Host header, an attacker may be able to load scripts from their controlled
domain, leading to the execution of malicious code in the context of the victim's
browser.

5. Information Disclosure: If the application relies on the Host header for routing or
decision-making and exposes sensitive information based on this header, an attacker
might manipulate it to gain access to sensitive data.
6. Domain Spoofing: Host Header Injection can be used for domain spoofing, where an
attacker tricks the application into processing requests as if they were originating from
a trusted domain. This could lead to phishing attacks or other malicious activities.
How do you prevent it?

Preventing Host Header Injection involves implementing secure coding practices and
configuring web servers to minimize the risk of this vulnerability. Here are some
recommendations:
1. Validate and Sanitize Input:
• Always validate and sanitize user input before using it to construct HTTP
headers.
• Ensure that the Host header value is expected and matches the intended
format.
2. Use a Whitelist Approach:

• Use a whitelist of allowed domain names for processing requests. Only accept
requests with Host headers that match the expected, legitimate domain
names.
3. Avoid Trusting User-Supplied Host Headers:
• Do not blindly trust or use Host header values provided by users. Treat them
as untrusted input and validate them rigorously.
4. Configure Web Servers Securely:
• Configure web servers to explicitly set the server's canonical hostname and
domain. This can help prevent attackers from injecting arbitrary host headers.

• If using a reverse proxy, ensure that it is configured securely and doesn't allow
arbitrary Host headers.
5. Security Controls and Headers:
• Implement security controls that are not solely based on the Host header.

• Use security headers like Content Security Policy (CSP) to mitigate the risk of
XSS attacks, even if Host Header Injection occurs.
6. Update and Patch:
• Keep web servers, frameworks, and any third-party libraries up-to-date with
the latest security patches. Vulnerabilities that could lead to Host Header
Injection may be patched in newer releases.
 7. Regular Security Audits and Testing:
• Conduct regular security audits and penetration testing to identify and address
vulnerabilities, including Host Header Injection.

• Use automated security testing tools to scan for common web application
security issues.
8. Educate Developers:
• Ensure that developers are educated about secure coding practices, including
the proper handling of user input, and the risks associated with Host Header
Injection.
9. Monitor and Log:
• Implement logging and monitoring mechanisms to detect and respond to
suspicious activity, such as unexpected changes in the Host header.

References:

➢ https://portswigger.net/web-security/host-header
➢ https://owasp.org/www-project-web-security-testing-guide/latest/4-
Web_Application_Security_Testing/07-Input_Validation_Testing/17-
Testing_for_Host_Header_Injection
➢ https://www.invicti.com/learn/host-header-attacks/
➢ https://medium.com/@tushar_rs_/understanding-host-header-injection-attacks-
and-how-to-prevent-them-60588cd34b8b
➢ https://infosecwriteups.com/http-host-header-attacks-55ca4b7786c