HTTP Host Header and Host Header Attacks

What is the HTTP Host Header?

The HTTP Host header is a mandatory component of HTTP/1.1 requests. It specifies the domain name the client wants to access:

GET /web-security HTTP/1.1
Host: portswigger.net

Purpose of the Host Header

Virtual Hosting: Helps servers distinguish between multiple websites hosted on the same IP.
Routing via Intermediaries: Guides reverse proxies/load balancers/CDNs to the correct back-end.

Analogy

Think of the Host header like an apartment number in a shared building — it directs the mail (HTTP request) to the correct recipient (website/application).

HTTP Host Header Attacks

Definition

Host header attacks occur when a server mishandles or implicitly trusts the user-controlled Host header, leading to security vulnerabilities.

Vulnerabilities Include:

Web Cache Poisoning
Business Logic Flaws
Routing-based SSRF
Classic Server-Side Issues (e.g., SQLi)

Why Do Host Header Vulnerabilities Arise?

Implicit Trust: Assuming the Host header is not user-controlled.
Poor Validation: Not validating or escaping the header properly.
Insecure Defaults: Many third-party tools trust headers like X-Forwarded-Host by default.
Discrepancies Between Components: Front-end and back-end systems might interpret headers differently.

How to Test for HTTP Host Header Vulnerabilities

1. Supply Arbitrary Host

Host: attacker.com

Check for reflection, redirects, absolute URLs in response.

2. Use Invalid Ports or Subdomains

Host: vulnerable.com:evil
Host: notvulnerable-website.com
Host: hacked-subdomain.vulnerable.com

3. Inject Duplicate Host Headers

Host: vulnerable.com
Host: attacker.com

4. Use Absolute URLs

GET https://vulnerable.com/ HTTP/1.1
Host: attacker.com

5. Line Wrapping Trick

Host: attacker.com
 Host: vulnerable.com

Host Header Override Headers

If Host is validated but other headers aren’t:

Host: vulnerable.com
X-Forwarded-Host: attacker.com

Other headers to try:

X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded

Mitigation Techniques

Strict Validation: Enforce a whitelist of valid hostnames.
Canonicalization: Normalize and verify host before using it.
Avoid User-Controlled URLs: Do not generate absolute URLs from headers.
Disable Unused Headers: Remove support for X-Forwarded-Host, etc., unless explicitly required.
Application-Level Checks: Validate any usage of the Host header within the app logic.

Tools for Testing

Burp Suite (Proxy, Repeater, Intruder)
curl, Postman (for manual header tampering)

portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.