HTTP Host header Attacks in Web App Penetration Testing | 2023

In this section, we’ll explain what Host Header Attack is, describe some types, explain how to find and exploit Host Header Attack and summarize how to prevent Host Header Attack | Karthikeyan Nagaraj

Karthikeyan Nagaraj
7 min readNov 4, 2023

--

What is the HTTP Host header?

The HTTP Host header is a mandatory request header as of HTTP/1.1. It specifies the domain name that the client wants to access. For example, when a user visits https://portswigger.net/web-security, their browser will compose a request containing a Host header as follows:

GET /web-security HTTP/1.1
Host: portswigger.net

In some cases, such as when the request has been forwarded by an intermediary system, the Host value may be altered before it reaches the intended back-end component. We will discuss this scenario in more detail below.

What is the purpose of the HTTP Host header?

The purpose of the HTTP Host header is to help identify which back-end component the client wants to communicate with. If requests didn’t contain Host headers, or if the Host header was malformed in some way, this could lead to…

--

--

Karthikeyan Nagaraj

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher