cyberneticlibrary
← library

Hunt host header injection attacks

hunt-host-headerskillsetup L11,791
elementalsouls/Claude-BugHunter
What it does

Inject Host header to poison password resets, cache, routing, OAuth redirect_uri

Best for

Security researchers hunting account-takeover on apps behind CDN/reverse proxy where Host is unkeyed in cache.

Inputs
  • · target forgot-password / email endpoint
  • · cache-fronted app
  • · OAuth issuer/discovery endpoint
Outputs
  • · reset email sent to attacker domain
  • · cache poisoning proof (HIT on second request)
  • · SSRF to internal service via Host routing
  • · OAuth token redirected
Requires
  • · curl
  • · openssl s_client (Dual-Host test)
  • · Burp Suite
  • · Collaborator (OOB verify)
Preconditions
  • · password reset endpoint accessible
  • · unvalidated Host used in email links OR cache key
Failure modes
  • · ALLOWED_HOSTS strictlist enforced
  • · unkeyed cache hits don't occur
  • · Host override stripped by reverse proxy
Trust signals
  • · Cites PortSwigger research (Kettle) and Detectify-era papers
  • · Includes Dual-Host smuggling (RFC parser evasion)
  • · Real paid examples from CDN deployments