Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 55: HTTP Host Header Injection

by | Jul 6, 2025 | 0 comments

Objective

Learn how to exploit HTTP Host Header Injection vulnerabilities to perform attacks such as web cache poisoning, redirecting users to malicious sites, or bypassing security controls. Understand how to mitigate these attacks through input validation and secure server configurations.

Scenario

You are testing a web application that dynamically generates links or performs redirects based on the HTTP Host header. Due to a lack of validation, an attacker can manipulate the Host header to inject malicious content or redirect users to malicious websites.

Lab Setup

Prerequisites:

  • Basic knowledge of PHP and web servers.
  • XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
  • Tools like Burp Suite or browser developer tools to modify HTTP headers.

Step 1: Create the Vulnerable Web Application

  1. PHP Script with Host Header Vulnerability
    • Create a file redirect.php: <?php $host = $_SERVER['HTTP_HOST']; echo "<a href='http://$host/login.php'>Login</a>"; if (isset($_GET['redirect'])) { header("Location: http://$host/" . $_GET['redirect']); exit; } ?> <h2>Welcome to Our Website</h2> <a href="redirect.php?redirect=dashboard.php">Go to Dashboard</a>
  2. Running the Application
    • Start the Apache server.
    • Place redirect.php in the web server’s root directory (htdocs for XAMPP).
    • Open http://localhost/redirect.php in your browser.

Exploitation Steps

Step 1: Modifying the Host Header

  1. Open Burp Suite and intercept the request to http://localhost/redirect.php?redirect=dashboard.php.
  2. Modify the Host header: Host: evil.com
  3. Forward the request.

Expected Result:

  • The link generated by the server redirects to http://evil.com/dashboard.php, leading users to a malicious website.

Step 2: Web Cache Poisoning

  1. Modify the Host header to cache a malicious link: Host: evil.com
  2. Access the cached page.

Expected Result:

  • Other users accessing the same page get redirected to the malicious domain due to the poisoned cache.

Solution and Prevention

Problem Analysis

  • The application reflects the Host header without validation, allowing attackers to manipulate responses.

Fixing the Vulnerability

  1. Validate the Host Header
    • Only allow trusted domains: $allowed_hosts = ['localhost', 'example.com']; if (!in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) { header("HTTP/1.1 400 Bad Request"); exit("Invalid Host Header"); }
  2. Use Hardcoded URLs
    • Avoid using the Host header in dynamic links: echo "<a href='https://example.com/login.php'>Login</a>";
  3. Configure Web Server to Reject Invalid Hosts
    • Set the ServerName and disable untrusted Host headers in Apache: <VirtualHost *:80> ServerName example.com ServerAlias www.example.com </VirtualHost>
  4. Use Strict Content Security Policy (CSP)
    • Restrict domains allowed in links and redirects: header("Content-Security-Policy: default-src 'self'");

Testing After Fix

  1. Attempt to modify the Host header to evil.com.
  2. Expected Result:
    • The server rejects the request or redirects only to allowed domains.
  3. Attempt to cache malicious links.
  4. Expected Result:
    • The cache does not serve malicious content.

Conclusion

In this lab, you exploited an HTTP Host Header Injection vulnerability to redirect users to a malicious site and poison web caches. You also learned how to mitigate this vulnerability by validating the Host header, hardcoding URLs, and properly configuring web servers.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *