Host Header Injection
Impact: Medium
Description
When processing an incoming HTTP request, the webserver needs to know which component or virtual host should complete the request. The Host
HTTP header is used for this purpose.
All HTTP headers including the Host
header are user-controlled data. If the application uses the value of any HTTP header without validation, a header injection attack occurs.
Host header injection allows attackers to manipulate the response to perform arbitrary redirection, cache poisoning, and information disclosure.
Recommendation
Do not rely on the value of headers. If you have to do so, accept a whitelisted value only.
References
👉 You might also like:
Blind OS Command Execution - Vulnerability
Blind SQL Injection - Vulnerability
Cross Site Scripting - Vulnerability
Expression Language Injection - Vulnerability
Last updated on December 12, 2021