Host Header Injection

Impact: Medium


When processing an incoming HTTP request, the webserver needs to know which component or virtual host should complete the request. The Host HTTP header is used for this purpose. All HTTP headers including the Host header are user-controlled data. If the application uses the value of any HTTP header without validation, a header injection attack occurs. Host header injection allows attackers to manipulate the response to perform arbitrary redirection, cache poisoning, and information disclosure.


Do not rely on the value of headers. If you have to do so, accept a whitelisted value only.


Last updated on December 12, 2021

Use SmartScanner Free version to test for this issue