Find & Prevent Host Header Injection with These Resources

A wrong move with the HTTP header can risk your web app and your users' security. To prevent this from happening, measures should be taken before that. Better safe than sorry.

What to Learn from These Resources:

• What is "Host Header Injection" (also known as "HBI")?
• Why does this happen?
• Where can this bug be found?
• How to test for this bug?
• All ways to find this bug
• Can it come from another vulnerability?
• Can it be chained with other bugs?
• Can it lead to another vulnerability?
• What is the impact of this?
• Why is this a problem on a specific platform?
• What exactly will you be able to do on that platform by exploiting these?
• How to mitigate this bug?
• Some real-life cases with this bug

Resources:

1. https://portswigger.net/web-security/host-header
2. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
3. https://crashtest-security.com/invalid-host-header/
4. https://www.acunetix.com/vulnerabilities/web/host-header-attack/
5. https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
6. https://www.secuneus.com/host-header-injection/
7. https://www.valencynetworks.com/kb/host-header-attack.html
8. https://dzone.com/articles/what-is-a-host-header-attack
9. https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
10. https://attacker-codeninja.github.io/2021-09-09-portswigger-notes-on-host-header-attack/
11. https://www.linkedin.com/pulse/host-header-injection-depth-utkarsh-tiwari/
12. https://medium.com/@tameemkhalid786/host-header-injection-on-password-reset-functionality-an-easy-p2-5c6263c2e3d4
13. https://bmacharia.com/2021/03/04/account-takeover-through-host-header-injection/
14. https://hackerone.com/reports/317476
15. https://bmacharia.com/2021/03/04/account-takeover-through-host-header-injection/
16. https://lightningsecurity.io/blog/host-header-injection/
17. https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
18. https://kathan19.gitbook.io/howtohunt/host-header-attack/host-header
19. https://getridbug.com/information-security/is-host-header-injection-possible-without-cache-or-password-reset/
20. https://infinitelogins.com/2021/01/02/http-host-header-attacks-and-portswigger-academy-lab-examples/
21. https://lavankumar2604.wixsite.com/hacker/post/host-header-injection-made-me-earn-250
22. https://stackoverflow.com/questions/47880156/host-header-injection
23. https://www.exploit-db.com/exploits/38068
24. https://vladtoie.gitbook.io/secure-coding/server-side/host-header-injection
25. https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md
26. https://web.dev/security-headers/
27. https://stackoverflow.com/questions/43941048/prevent-host-header-attack
28. https://www.ibm.com/docs/en/odm/8.9.2?topic=configuring-protecting-from-host-header-injection
29. https://developpaper.com/http-host-header-attacks-for-web-security/
30. https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958
31. https://nileshsapariya.blogspot.com/2015/10/host-header-injection-at.html

Let us know if you have more in our comment section. 🙂