Host Header Injection
When processing an incoming HTTP request, the webserver needs to know which component or virtual host should complete the request. The
Host HTTP header is used for this purpose.
All HTTP headers including the
Host header are user-controlled data. If the application uses the value of any HTTP header without validation, a header injection attack occurs.
Host header injection allows attackers to manipulate the response to perform arbitrary redirection, cache poisoning, and information disclosure.
Do not rely on the value of headers. If you have to do so, accept a whitelisted value only.